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Introduction 


The SC-200 exam deals with technologies that are relevant for Microsoft Security Operations 
Analysts who collaborate with organizational stakeholders to secure information technology 
systems for the organizations. This exam cover topics that will help to reduce organizational risk 
by rapidly remediating active attacks in the environment, advising on improvements to threat 
protection practices, and referring violations of organizational policies to appropriate stakehold- 
ers. The exam also covers topics such as investigation and response for threats using Microsoft 
Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security products. 


This book covers every major topic area found on the exam, but it does not cover every 
exam question. Only the Microsoft exam team has access to the exam questions, and Micro- 
soft regularly adds new questions to the exam, making it impossible to cover specific ques- 
tions. You should consider this book a supplement to your relevant real-world experience and 
other study materials. If you encounter a topic in this book that you do not feel completely 
comfortable with, use the “Need more review?" links you'll find in the text to find more infor- 
mation and take the time to research and study the topic. Great information is available on 
docs.microsoft.com, at MS Learn, and in blogs and forums. 


Organization of this book 


This book is organized by the “Skills measured” list published for the exam. The “Skills mea- 
sured" list is available for each exam on the Microsoft Learning website: http://aka.ms/examiist. 
Each chapter in this book corresponds to a major topic area in the list, and the technical tasks in 
each topic area determine that chapter's organization. If an exam covers six major topic areas, 
for example, the book will contain six chapters. 


Preparing for the exam 


Microsoft certification exams are a great way to build your résumé and let the world know 
about your level of expertise. Certification exams validate your on-the-job experience and 
product knowledge. Although there is no substitute for on-the-job experience, preparation 
through study and hands-on practice can help you prepare for the exam. This book is not 
designed to teach you new skills. 
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We recommend that you augment your exam preparation plan by using a combination of 
available study materials and courses. For example, you might use the Exam Ref and another 
study guide for your “at home” preparation and take a Microsoft Official Curriculum course 
for the classroom experience. Choose the combination that you think works best for you. 
Learn more about available classroom training and find free online courses and live events 
at http://microsoft.com/learn. Microsoft Official Practice Tests are available for many exams at 
http://aka.ms/practicetests. 


Note that this Exam Ref is based on publicly available information about the exam and the 
authors’ experience. To safeguard the integrity of the exam, authors do not have access to the 
live exam. 


Microsoft certification 


Microsoft certifications distinguish you by proving your command of a broad set of skills and 
experience with current Microsoft products and technologies. The exams and corresponding 
certifications are developed to validate your mastery of critical competencies as you design 
and develop, or implement and support, solutions with Microsoft products and technologies 
both on-premises and in the cloud. Certification brings a variety of benefits to the individual 
and to employers and organizations. 


MOREINFO ALL MICROSOFT CERTIFICATIONS 


For information about Microsoft certifications, including a full list of available certifications, 
go to http://www. microsoft.com/learn. 


Check back often to see what is new! 


Errata, updates & book support 


We've made every effort to ensure the accuracy of this book and its companion content. You 
can access updates to this book—in the form of a list of submitted errata and their related 
corrections—at: 


MicrosoftPressStore.com/ExamRefSC200/errata 
If you discover an error that is not already listed, please submit it to us at the same page. 


For additional book support and information, please visit MicrosoftPressStore.com/Support. 
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Please note that product support for Microsoft software and hardware is not offered 
through the previous addresses. For help with Microsoft software or hardware, go to 
http://support.microsoft.com. 


Stay in touch 


Let's keep the conversation going! We're on Twitter: http://twitter.com/MicrosoftPress. 
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Mitigate threats using 
Microsoft 365 Defender 


In recent years, the proliferation of endpoint protection, detection, and response tech- 
nologies enabled security operations teams to gain better visibility into attacks that target 
endpoints. This is one reason that dwell time—the measurement of time between the start of 
an incident and when a security operations team detects the intrusion—has decreased from 
a 78-day median in 2019 to 56 days in 2020 (Source: FireEye 2020 M-Trends). Unfortunately, 
this trend also encouraged malicious actors to increase their use of other attack vectors, such 
as email, cloud applications, and identities. These additional attack vectors pressure security 
teams to cover more ground in these additional domains, making it increasingly difficult for 
incident responders to effectively protect, detect, and respond to these threats. 


Microsoft 365 Defender helps security operations teams respond to threats across these 
domains by providing the following features: 


m Consolidated incident model 
= Consolidated portal 
m Automated self-healing 


m Cross-product hunting 


Skills covered in this chapter: 


m Detect, investigate, respond, and remediate threats to the productivity environment 
using Microsoft Defender for Office 365 


m Detect, investigate, respond, and remediate endpoint threats by using Microsoft 
Defender for Endpoint 


= Detect, investigate, respond, and remediate identity threats 


m Manage cross-domain investigations in Microsoft 365 Defender Security portal 
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Skill 1-1: Detect, investigate, respond, and remediate 
threats to the productivity environment using 
Microsoft Defender for Office 365 


Attackers use email and Microsoft Office documents to gain initial entry into targeted systems. 
Microsoft Defender for Office 365 can identify, alert, block, and remediate these attacks. If an 
attacker is successful gaining a foothold in the targeted system, sensitive data could be at risk 
to theft. Configuring data loss prevention policies, sensitivity labels, and insider risk policies 
can protect this data, and alert security and compliance teams of the attempted exfiltration. 


Examine a malicious spear phishing email 


One popular attack vector is credential harvesting via spear phishing coupled with a forged 
login page. MITRE ATT&CK defines spear phishing as “an attempt to trick targets into divulg- 
ing information, frequently credentials, or other actionable information.” The spear phishing 
email in Figure 1-1 appears to be from Bob Smith, the Contoso Corporation CEO. The email was 
sent to Paul DePaul, CFO of Contoso Corporation, and asks him to click a link and use his email 
account to log in. 


“> Reply all mM Delete C unk Block 


Zoom call for earnings 


FIGURE 1-1 Spear phishing email 


There are two suspicious properties in this email: 

m The email is marked as having been sent with High Importance. This is a method to 
encourage the user to read and respond to the email right away. Creating a sense of 
urgency is commonly seen in social engineering—based attacks. 

m The sender name is spoofed. The email appears to be from Contoso CEO Bob Smith, 
though the sender address ends in gmail.com. 

When the user clicks the link in the email, they are presented with the web page shown in 
Figure 1-2. 

This website is intended to look real enough so the user will type in their Office 365 user- 
name and password. Once the user types in their credentials and clicks Sign In, the credentials 
are sent to the attacker so they can log in to Office 365 as that user. 
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FIGURE 1-2 Credential harvesting website 


To protect users from links in spear phishing emails, you need a technology that will scan 
links in emails when the email is delivered and when a user clicks the link. This ensures the 
links are safe to click, which takes the decision out of the user's hands. Safe Links is a feature in 
Defender for Office 365 that provides the best protection against these types of spear phishing 
attacks with malicious links. 


The Safe Links feature in Microsoft Defender for Office 365 protects user email in two ways: 
m Links that are sent in email are scanned before they are delivered to the user's mailbox. 


m Links are scanned again when a user clicks the link. Scanning the link upon click is critical 
because a common attack technique to evade email protection is to activate the mali- 
cious content on the hosting site after the email passes through a company’s email 
security layer. 


These protections can be configured for emails sent to the company from outside email 
systems (inter-organization) as well as emails sent within the company (intra-organization). 


Configuring a Safe Links policy 

To configure a Safe Links policy, you must be a member of the Organization Management 
or the Security Administrator role groups configured in the Permissions & Roles section 

of the Microsoft 365 Security Portal (https://security. microsoft.com). For read-only access to 
Safe Link policies, you must be a member of either the Global Reader or Security Reader role 
groups. Note these are role groups in Office 365 and are separate from Azure Active Direc- 
tory roles. However, the Global Admin and Security Administrator roles in Azure Active 
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Directory are members of the Organization Management and Security Administrator role 
groups by default, respectively. 


MOREINFO CUSTOM ROLES IN THE ROLE-BASED ACCESS CONTROL FOR MICROSOFT 
365 DEFENDER 


For more information on Office 365 roles, please see the information at 


https://docs.microsoft.com/en-us/microsoft-365/security/defender/custom-roles?view= 
0365-worldwide. 


Use the following steps to configure a Safe Links policy: 


Log in to https://security.microsoft.com with the required permissions. 
Under Email & Collaboration, click Policies & Rules > Threat Policies. 
In Threat Policies, under Policies, click the Safe Links icon. 


Click Create to start the Create A New Safe Links Policy wizard, as shown in Figure 1-3. 


Name your policy 


Create Safe Links Policy 
Name” 
@ Name your policy 
Settings 
Notification 
Applied to 


Review your settings 


FIGURE 1-3 Name Your Policy 


Provide a Name and Description for your Safe Links policy. You can have more than 
one policy that targets specific users in your organization, so keep this in mind when 
choosing your naming scheme. Click Next to move to the Settings page, as shown 

in Figure 1-4. 

On the Settings page, set the Select The Action For Unknown Potentially Malicious 
URLs in Messages option to On. This allows the policy to check for malicious links. 


Set the Select The Action For Unknown Or Potentially Malicious URLs Within 
Microsoft Teams setting to On. This setting will allow Safe Links to protect links shared 
in Microsoft Teams. 
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10. 


11. 


12. 


13. 


Settings 


Create Safe Links Policy 


© Name your policy Select the action for unknown potentially malicious URLs in messages. 


Notification 
Select the action for unknown or potentially malicious URLs within Microsoft Teams. 
Applied to la 


) on 


Review your settings 


FIGURE1-4 Create Safe Links Policy wizard’s Settings page 


To allow Safe Links to protect clicks on URLs that point to files, select the Apply Real- 
Time URL Scanning For Suspicious Links And Links That Point To Files option. 


Waiting for URL scanning to complete before delivering the message will reduce the 
chances for false negatives because it will allow Safe Links to scan the link completely 
before delivering the email to the user. False negatives occur when a malicious link is 
delivered because it was scanned and found not to be malicious (sometimes referred to 
as a miss). We strongly recommend that you enable Apply Real-Time URL Scanning 
For Suspicious Links And Links That Point To Files. 


Select the Apply Safe Links To Email Messages Sent Within The Organization 
option to prevent malicious links from being sent between mailboxes in the same 
company. Once they have breached one mailbox, it is common for attackers to start to 
phish other mailboxes in the same company. Users are very likely to click malicious links 
in emails, especially when they are sent from a coworker! 


The Do Not Track User Clicks option should be left unchecked to ensure you know 
what links users are clicking. 


Select the Do Not Allow Users To Click Through To Original URL option, which 
prevents users from bypassing the Safe Links block page, thereby accepting the risk 
of visiting a website believed to be malicious. This typically results in undesirable 
consequences. 


The Display The Organization Branding On Notification And Warning Pages 
option allows you to customize the block page branding with a company logo. Scrolling 
down the Settings page exposes the Do Not Rewrite The Following URLs option 
shown in Figure 1-5. 
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14. 


15. 


Applied to Do not rewrite the following URLs: 


Review your settings 


FIGURE1-5 Do Not Rewrite The Following URLs 


The Do Not Rewrite The Following URLs option allows you to add URLs that should 
not be rewritten to interact with Safe Links. Typically, this setting is used to allow access 
to third-party phishing test sites. 


Once you have the Settings page options set as needed, click Next to display the 
Notification page shown in Figure 1-6. 


Notification 


Create Safe Links Policy 
Name your policy 


Settings 


Custom notification text 


Notification 


That link is bad] 


Applied to 


FIGURE1-6 Safe Links Notification settings 


On the Notification page, there are two options: Use The Default Notification Text 
or Use Custom Notification Text. The Custom Notification Text box allows you to 
enter the custom text you want to be displayed to users when they interact with a link 
that is blocked by Safe Links. Select the Use Microsoft Translator For Automatic 
Localization option to allow your custom notification text to be translated to the 
user's locale. Click Next to advance to the Applied To page shown in Figure 1-7. 
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Applied to 


Create Safe Links Policy 
Specify the users, groups, or domains for whom this policy applies by creating recipient based rules: 


®© Name your policy 


“ The recipient domain is 


Any of these 
@ settings 


fespiresec.mail onmicrosoft.com,fespiresec.onmicrosoft.com 


Choose 


© Notification 


2 selected) 


@ Applied to — 
+ Add a condition Y 


FIGURE 1-7 Safe Links Applied To page 


16. On the Applied To page, you configure which groups, users, or domains this Safe 
Links policy will apply to. In this example, the policy will apply to all users who have 
email addresses with these domains: fespiresec.mail.onmicrosoft.com and fespiresec. 
onmicrosoft.com. Combinations of conditions can be used to include specific users and 
groups of users. Exceptions can be used to exclude specific users, groups, or domains 
from this Safe Links policy. Click Next. 


17. The Review Your Settings page lists all the configuration settings made so far in the 
Safe Links configuration wizard. You can edit any of the settings from this screen. When 
the settings are configured as desired, click Finish to create the Safe Links policy. 


Multiple Safe Link policies can be created, as shown in Figure 1-8. 


FIGURE1-8 Safe Link policy view 
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Safe Link policies can be enabled or disabled using the Status slider. The Priority 
determines in what order the policies are applied. The policy with Priority 0 is applied first, 
followed by the policy with Priority 1, and so on. Once a policy's Applied To condition is met, 
no additional policies are processed. 


MOREINFO SET UP SAFE LINKS POLICIES IN MICROSOFT DEFENDER FOR OFFICE 365 


You can learn more about setting up Safe Links policies at 
https://aka.ms/sc200_setupsafelinks. 


Click Global Settings to open a side menu, as shown in Figure 1-9. 


Safe Links settings for your organization 
Global settings for users included in active Safe Links policies 


ers click a blocked URL they're redirected to a web page that explains why the URL is 


Ls will be blocked in email messages and in Office 365 Apps and Office for iOS and 


ou can v 


Yo e wildcard astensks (") per URL entered. 
Get help with this 


Block the following URLs: 


Settings that apply to content in supported Office 365 apps 


| check the link, If the link 


nd to be malicious. the ui g page for further action 


n supported Office 365 apps: 


Do not track when users click protected links in Office 365 apps 


Do not let users click through to the original URL in Office 365 apps 


on. users can't click through to the onginal URL on the warning page 


Cancel 


FIGURE 1-9 Safe Links Global Settings 


Under the Global Settings For Users Included In Active Safe Links Policies setting, you 
can configure URLs that will always be blocked in emails and Office 365 Apps. A possible use 
case for this feature is that if a false negative (miss) occurs, you can add the URL to this list, and 
it will be blocked, regardless of the verdict from Safe Links. 
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The Settings That Apply To Content In Supported Office 365 Apps options control 
whether links inside Office 365 Apps are protected by Safe Links. For example, if a PowerPoint 
presentation contains a slide with a link to a malicious site, these settings will control whether 
Safe Links will protect the link. 


MOREINFO CONFIGURE GLOBAL SETTINGS FOR SAFE LINKS IN MICROSOFT DEFENDER 
FOR OFFICE 365 


You can learn more about these global settings at https://aka.ms/sc200_SLglobalsettings. 


Malicious attachments 


Attackers sometimes use malicious files attached to emails to gain unauthorized access into a 
system. This type of attack entry is beneficial because it establishes a foothold for the attacker 
to carry out additional attacks on other connected systems to the compromised system. 
Signature-based detections are often not enough to catch these malicious files. Fortunately, 
the Safe Attachments feature in Defender for Office 365 provides additional protection 
against this type of attack. 


Safe Attachments uses dynamic analysis coupled with Machine Learning to detect threats 
in files and prevent the files from landing in a user's inbox. Since this is a resource-intensive 
operation, the Safe Attachments analysis occurs only on files that do not already have an 
anti-malware signature. Files that do have an anti-malware signature are blocked by Exchange 
Online Protection before they reach Safe Attachments. 


Configuring a Safe Attachments policy 


To configure a Safe Attachments policy, you must be a member of the Organization Man- 
agement or the Security Administrator role groups configured in the Permissions & Roles 
section of the Microsoft 365 Security Portal (https://ecurity. microsoft.com). 


NOTE ROLE GROUP MEMBERSHIPS 


For read-only access to Safe Attachment policies, you must be a member of either the 
Global Reader or Security Reader role groups. Note these are role groups in Office 365 and 
are separate from Azure Active Directory roles. 


Use the following steps to configure a Safe Attachment policy: 
1. Log in to https://security.microsoft.com with the required permissions. 
2. Under Email & Collaboration, click Policies & Rules > Threat Policies. 
3. In Threat Policies, under Policies, click the Safe Attachments icon. 


4. Click Create to start the Create A New Safe Attachments Policy wizard shown in 
Figure 1-10. 
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CHAPTER 1 


Name your policy 


New Safe Attachment Policy 


@ Name your policy 


FIGURE 1-10 Name your Safe Attachments policy 


On the Name Your Policy screen, enter a Name for the policy and add a Description. 
You can have more than one policy that targets specific users in your organization, so 
keep this in mind when choosing your naming scheme. Click Next to advance to the 
Settings page shown in Figure 1-11. 


Settings 


New Safe Attachment Policy 


o Name your policy Safe attachments unknown malware response 


Select the action for unknown malware in attachments. Learn more 
Moner 
Monitor, Replace and Block actions may cause significant delay to email delivery. Learn more 
Dynamic Delivery is only available for recipients with hosted mailboxes. Learn more 
If you choose the Block, Replace or Dynami Delivery options and malware is detected in 
Applied to attachment. the message containing the attachment will be quarantined and can be released 
only by an admin 
© Ott- Attachment will not be scanned for malware 
Review your settings 
© Monitor - Continue delivering the message after malware is detected track scan results 


© Block - Block the current and future email and attachments with detected malware 
© Replace - Block the attachments with detected malware, continue to deliver the message. 


@® Dynamic Delivery (Preview Feature): Deliver the message without attachments immediately 
and reattach once scan is complete. 


FIGURE 1-11 Safe Attachments Settings page 


The Safe Attachments Unknown Malware Response setting controls how the Safe 
Attachments feature will interact with an email containing a file attachment. 


= Off—Attachment Will Not Be Scanned For Malware This setting essentially 
disables Safe Attachments. 


= Monitor—Continue Delivering The Message After Malware Is Detected; Track 
Scan Results This setting is an “audit mode” that allows you to do a what-if analysis 
of attachments that would be blocked without actually blocking the attachments. 
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= Block—Block The Current And Future Email And Attachments With Detected 
Malware This is the most intrusive Safe Attachments mode. If an email contains 
an attachment that is found to be malicious by Safe Attachments, the email and the 
attachment will not be delivered to the recipient(s). This is the default and recom- 
mended setting. 


= Replace—Block The Attachments With Detected Malware, Continue To 
Deliver The Message In this mode, Safe Attachments will deliver the email, but 
the attachment will be replaced with a text file indicating the file was infected and 
was removed. 


= Dynamic Delivery (Preview Feature)—Deliver The Message Without Attach- 
ments Immediately And Reattach Once Scan Is Complete This setting deliv- 
ers the email body while the attachment is scanned. A preview of the attachment is 
provided until the Safe Attachments analysis is complete. If the attachment is found 
to be malicious, a text file will instead be placed in the message indicating the file 
was infected and removed. 


The last few options on the settings page are seen in Figure 1-12. 


Redirect attachment on detection 


Send the blocked, monitored, or replaced attachment to an email address. 


Enable redirect © 


Send the attachment to the following email address * 


FIGURE 1-12 Redirect Attachment On Detection 


If the Redirect Attachment On Detection option is selected, the detected malicious 
files will be sent to a mailbox that you configure, so you can collect these samples for 
further analysis. 


Selecting the Apply The Above Selection If Malware Scanning For Attachment 
Times Out Or Errors Occur option ensures that files that time out or error out during 
scanning are treated the same as what you configured in the policy. Be sure to select the 
Redirect Attachment On Detection if a file is not malicious so that you can recover 
the file for the user. 


Once you have the options configured to meet your needs, click Next to show the 
Applied To page shown in Figure 1-13. 
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Applied to 


New Safe Attachment Policy 
Specify the users, groups, or domains for whom this policy applies by creating recipient based rules: 
Name your policy 
A The recipient domain is 
Any of these 
Settings 
fespiresec.mail.onmicrosoft.com, fespiresec.onmicrosoft.com 


Choose 


Applied to SS 


(2 selected) 


Review your settings 
+ Add a condition Y 


FIGURE 1-13 Applied To page 


11. The Applied To page is where you configure which groups, users, or domains this 
Safe Attachments policy will apply to. In this example, the policy will apply to all users 
with email addresses with the domains fespiresec.mail.onmicrosoft.com and fespiresec. 
onmicrosoft.com. Combinations of conditions can be used to include specific users and 
groups of users. Exceptions can be used to exclude specific users, groups, or domains 
from this Safe Attachments policy. Click Next. 


12. The Review Your Settings page lists all the configuration settings made so far in 
the Safe Attachments configuration wizard. You can edit any of the settings from this 
screen. When the settings are configured as desired, click Finish to create the Safe 
Attachments policy. 


Multiple Safe Attachments policies can be created, as shown in Figure 1-14. 


ohcies & rules > Threat policies > Safe attachments 


Set up an safe attachments policy for specific users or groups to help prevent people from opening or sharing email attachments that contam malicious content. Learn more about safe 
attachments for email 


+ Create | Export C) Refresh [È Reports @ Global settings Zitems © Search = 
Name Priority Status 
Sate Attachments =& 
Safe Attachments for Advanced Users & 


FIGURE 1-14 Safe Attachments policy view 
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MOREINFO SET UP SAFE ATTACHMENTS POLICIES IN MICROSOFT DEFENDER FOR 
OFFICE 365 

You can learn more about setting up Safe Attachments policies at https://aka.ms/ 
sc200_setupsafeattach. 


Safe Attachments policies can be enabled or disabled using the slider under Status. The 
Priority determines the order in which the policies are applied. The policy with Priority 0 is 
applied first, followed by the policy with Priority 1, and so on. Once a policy's Applied To 
condition is met, no additional policies are processed. 


Clicking Global Settings opens a side menu, as shown in Figure 1-15. 


Global settings x 


Use this page to protect your organization from malicious content in email attachments and files 
in SharePoint, OneDrive, and Microsoft Teams. 


Protect files in SharePoint, OneDrive, and Microsoft Teams 


If a file in any SharePoint, OneDrive, or Microsoft Teams library is identified as malicious, Safe 
Attachments will prevent users from opening and downloading the file. Learn more 


Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams 


Help people stay safe when trusting a file to open outside Protected View in Office 
applications. 


Before a user is allowed to trust a file opened in a supported version of Office, the file will be 
verified by Microsoft Defender for Endpoint. Learn more about Safe Documents. 


Turn on Safe Documents for Office clients. Only available with Microsoft 365 ES or Microsoft 
365 E5 Security license. Learn more about how Microsoft handles your data. 


Allow people to click through Protected View even if Safe Documents identified the file as 
malicious 


a» 
10 ) 


[ema] 


FIGURE 1-15 Safe Attachments Global settings 


These Global settings apply to files stored on SharePoint, OneDrive, and Microsoft Teams 
and prevent users from accessing malicious files in these locations tenant wide. The key differ- 
ence between these settings and Safe Attachments policies are that these setting focus on files 
outside of emails. Here are the protections you can enable in Global Settings: 


= Turn On Defender For Office 365 For Sharepoint, OneDrive, And Microsoft Teams 
applies Safe Attachments’ malicious file-detection capabilities for files stored in these 
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locations. With this option enabled, if a malicious file is stored in these locations, the 
user would be unable to open the file. This option should be set to Enabled. 


= Turn On Safe Documents For Office Clients enables the files opened by Office 365 
apps to be scanned by Cloud Protection, a component of Microsoft Defender for End- 
point that provides an added layer of protection on top of Safe Attachments protection. 
This option should be set to Enabled. 


= Allow People To Click Through Protected View Even If Safe Documents Identified 
The File As Malicious would allow users to override Safe Documents’ verdict of a file. 
We recommend that you do not enable this option. 


MOREINFO TURN ON SAFE ATTACHMENTS FOR SHAREPOINT, ONEDRIVE, AND 
MICROSOFT TEAMS 


You can learn more about setting up Safe Attachments policies for these products at 
https://aka.ms/sc200_safeattach4sps. 


MOREINFO SAFE DOCUMENTS IN MICROSOFT 365 E5 


You can learn more about setting up Safe Documents at https://aka.ms/sc200_safedocs. 


Anti-phishing policies 
Exchange Online Protection (EOP), which is included with the Office 365 Exchange Online 


service, provides a moderate amount of protection against phishing. Microsoft Defender for 
Office 365 takes anti-phishing protection to the next level by adding the following features: 


= Impersonation protection 


m Configurable advanced phishing thresholds 


Impersonation protection 


Impersonation protection applies to two types of impersonation: user impersonation and 
domain impersonation. User impersonation occurs when an attacker sends an email where the 
user portion of an email address mimics a user who is credible to the recipient. In the previous 
spear phishing example, the attacker used Bob Smith as the sender’s name to mimic the Contoso 
CEO. The attacker could have further impersonated Bob Smith by creating the email account 
bobsmith@fabrikam.com to increase the chances of the recipient responding to the message. 


With domain impersonation, an attacker registers a domain that closely resembles a legiti- 
mate domain. For example, instead of contoso.com, the attacker could register consoto.com, 
which means at first glance, the recipient would recognize the Contoso name and interact with 
the message. Combinations of symbols and numbers are also used in this technique, such as 
bobsmith@CONTOSO.com. (A zero is used instead of the first letter 'O' in CONTOSO,) 
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Configurable advanced phishing thresholds 


Advanced phishing thresholds allow you to define how aggressive the machine learning 
models should be when determining if an email is a phish. The machine learning models driv- 
ing the phishing detection in Defender for Office 365 have the ability score on a scale of low, 
medium, high, or very-high confidence levels. The more aggressive you configure this setting, 
the higher the chances of false positives. False positives occur when a legitimate email is falsely 
determined to be a phishing email and is kept out of the recipient's inbox. False negatives can 
occur if the setting is not aggressive enough, so this setting is a double-edged sword. Each 
organization is different in terms of how much risk they are willing to accept, which will drive 
the decision when setting this threshold. 


Below are the advanced phishing thresholds available: 


m 1—Standard The machine learning model will treat phish based on the determined 
confidence level. This is the default setting. 


m 2—Aggressive High-confidence phish and above will be treated like very high- 
confidence phish. 


= 3—More aggressive Medium-confidence phish and above will be treated like very 
high—confidence phish. 


m 4—Most aggressive All emails determined to be any level of phish will be treated 
like very-high-confidence phish. 


MOREINFO RECOMMENDED SETTINGS FOR CONFIGURING EOP AND DEFENDER FOR 
OFFICE 365 


The Microsoft recommended settings for anti-phishing can be found at 
https://aka.ms/sc200_antiphishrecommended. 


Configuring an anti-phishing policy 

To configure a Safe Links policy, you must be a member of the Organization Management 
or the Security Administrator role groups configured in the Permissions & Roles section 
of the Microsoft 365 Security Portal (https://security. microsoft.com). For read-only access 
to Safe Link policies, you must be a member of either the Global Reader or Security Reader 
role groups. 


Use the following steps to configure an anti-phishing policy: 
1. Log in to https://security.microsoft.com. 
2. Under Email & Collaboration, click Policies & Rules > Threat Policies. 
3. In Threat Policies, under Policies, click the Anti-Phishing icon. 


4. Click Create to start the Create A New Anti-phishing Policy wizard and display the 
Name Your Policy screen, as shown in Figure 1-16. 
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Name your policy 


ame your policy Name” 


Deseription 


FIGURE 1-16 Name your anti-phishing policy. 


Type in a Name and a Description for the policy. You can have more than one policy 
that targets specific users in your organization, so keep this in mind when choosing your 
naming scheme. Click Next to advance to the Applied To page shown in Figure 1-17. 


aa ih Ba Applied to 


policy 


© Name your policy 


A The recipient domain is 
Any of these 


fespiresec.mail.onmicrosoft com fespiresec.onmicrosoft.com 


v 


FIGURE 1-17 Applied To page 


The Applied To page is where you configure which groups, users, or domains this 
anti-phishing policy will apply to. The policy will apply to all users with email addresses 
with the domains fespiresec.mail.onmicrosoft.com and fespiresec.onmicrosoft.com. Com- 
binations of conditions can be used to include specific users and groups of users. Excep- 
tions can be used to exclude specific users, groups, or domains from this anti-phishing 
policy. Click Next. 

The Review Your Settings page lists the configurations made so far in the anti-phishing 
configuration wizard. You can edit any of the settings from this screen. When the 
settings are configured as desired, click Create This Policy, which will create the policy 
with default settings. 
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8. OntheAnti-Phishing Policy screen, click the anti-phishing policy you just created. 
This will open a fly-out menu where you configure the Impersonation settings and 
Advanced Settings, as shown in Figure 1-18. 


Edit your policy Standard Anti-phishing 


E Delete policy $ Decrease Pnonty 
daken A maar fF Bhasa maan JK 


Priority 
Status 0 
Last modified Apr 15, 2021 


Policy setting Policy name randard Anti-phithing 
Description 
Applied to 


Impersonation Users to protect 
Protect all domains | own 
Protect specific domains 
Action > User impersonation 
Action > Domain impersonation y 
Safety tips > User impersonation on eas 
Safety tips » Domain impersonation ot s 
Safety tips > Unusual characters 
Mailbox intelligence 
Mailbox Intelligence > Protection 
Mailbox Intelligence > Action 


Spoof Spoof intelligence 0 
Unauthenticated sender > ? symbol O Edit 
Action Move message to the recipients’ Junk Email folders 5 


Advanced settings Advanced phishing thresholds 1 - Standard Edit 


FIGURE 1-18 Edit page for an anti-phishing policy 


9. Click Edit next to the Impersonation settings to open the Edit Impersonation 
Policy wizard; the wizard starts with the Editing Add Users To Protect page shown 
in Figure 1-19. 
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Standard Anti-phishing 


Edit impersonation policy Editing Add users to protect 


Add domains to protect 
Actions 


Mailbox intelligence 


Add trusted senders and domains 


Review your settings Display name Email 


FIGURE 1-19 Editing Add users to protect in the anti-phishing impersonation policy 


10. Click the toggle button to On. This will expose a section where you can add users who 
you want to protect from user impersonation. You can add up to 60 email accounts 
to this list. Typically, you want to add users with high public visibility, such as the CEO, 
as well as external users associated with your company, such as board members. Bob 
Smith was added because he is the Contoso CEO. When finished adding email accounts, 
click Add Domains To Protect, shown in Figure 1-20. 


Standard Anti-phishing 


edi Impersonation pony Editing Add domains to protect 


Add users to protect 
Automatically include the domains | own 


€D o 
Actions — 


Mailbox intelligence 
Include custom domains 


Add trusted senders and domains €D o 


Review your settings 


| see | l a 
TAB... AE 


FIGURE 1-20 Editing Add Domains To Protect in the anti-phishing impersonation policy 
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12. 


On the Add Domains To Protect page of the wizard, enter the domains you want to 
protect from domain impersonation. You can add up to 50 domains to protect. To add 
the domains configured in your Office 365 tenant, click the toggle switch under Auto- 
matically Include The Domains | Own to On. To enter email domains that are external 
to your company that you normally do business with, click the toggle switch under the 
Include Custom Domains to On. Tailspintoys.com was entered under Add Domains 
because they are a major supplier to Contoso. When you are finished adding domains, 
click the Actions option on the left, as shown in Figure 1-21. 


Standard Anti-phishing 


t impersonation policy Editing Actions 
Add users to protect 
Add domains to protect 
If email is sent by an impersonated user 
Mailbox intelligence 
Add trusted senders and domains 


If email is cent by an impersonated domain: 


Review your settings 


mpe 


FIGURE 1-21 Editing Actions in the anti-phishing impersonation policy 


The Actions wizard page is where you configure what action you want performed when 
an email is believed to be impersonating a user or domain. Both cases are set to Move 
Message To The Recipients’ Junk Email Folders. You can set the same action on both 
user and domain impersonation, or you can set a different action for each. The choices 
for Actions include: 


= Redirect Message To Other Email Addresses 

= Move Message To The Recipients’ Junk Email Folders 

= Quarantine The Message 

= Deliver The Message And Add Other Addresses To The BCC Line 
m Delete The Message Before It’s Delivered 

= Don’t Apply Any Action 


The Turn On Impersonation Safety Tips text is a clickable link that when clicked opens 
the Safety Tips configuration window shown in Figure 1-22. 
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FIGURE 1-22 Editing Safety tips in the anti-phishing impersonation policy 


These options allow a banner to be added to emails when a user or domain is imper- 
sonated or when unusual characters are present in the sender email address, such as 
bobsmith@CONTOSO.com (where a zero is used instead of the first O in CONTOSO). Set 
the toggle switch to On for each of these settings and click Save when you are finished. 
This will return you to the Actions wizard page. 


When you have the options set on the Actions wizard page, click the Mailbox Intelli- 
gence option on the left, as shown in Figure 1-23. 
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14. 


A 


Review 


Standard Anti-phishing 


dit impersonation policy Editing Mailbox intelligence 


Enable mailbox intelligence? 


dd trusted senders and domains a 


your settings 
Enable mailbox intelligence based impersonation protection? 


If email is sent by an impersonated user 


ance! 
| se EE 


FIGURE 1-23 Editing the Mailbox Intelligence 


Mailbox Intelligence is an additional layer of artificial intelligence—driven protection 
that learns the sending and receiving patterns of the users configured to be protected 
by the impersonation policy. This pattern learning improves the efficacy of the imper- 
sonation policy and should be turned on. If Mailbox Intelligence is what catches the 
impersonation, the action configured under If Email Is Sent By An Impersonated 


User is taken. The actions are configurable as follows: 


Redirect Message To Other Email Addresses 

Move Message To The Recipients’ Junk Email Folders 
Quarantine The Message 

Deliver The Message And Add Other Addresses To The Bcc Line 
Delete The Message Before It’s Delivered 


Don’t Apply Any Action 


Once you have the action configured, click the Add Trusted Senders And Domains 
option on the left, as shown in Figure 1-24. 


Adding sender email addresses and domains to exempt them from the impersonation 


policy should only be used for reoccurring false positives. EXempting too many domains 


increases your exposure to impersonation. It is best to start out with no exceptions if 
possible. Click the Review Your Settings text on the left. 
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Standard Anti-phishing 


Edit impersonation policy Editing Add trusted senders and domains 


Add users to protect ù 
Messages from the sender email ad as an impertonation-based attack 


AS a result. the actions an ders and domains. 


Add domains to protect 


Actions Trusted senders 


Mailbox intelligence 


Trusted domains 


Review your settings 


FIGURE 1-24 Add Trusted Senders And Domains 


15. The Review Your Settings page lists all the configuration settings made so far in the 
Edit Impersonation Policy Configuration wizard. You can edit any of the settings 
from this screen. When the settings are configured as desired, click Save to apply the 
impersonation settings to the anti-phishing policy and return you to the Edit Your 
Policy Standard Anti-Phishing page shown in Figure 1-25. 


Edit your policy Standard Anti-phishing 


t policy applies to all users within the organization. with additional user, group or 


Last modified Ape 15, 2021 


Policy setting Policy name 
Description 
Applied to 


Impersonation Users to protect 
Protect all domains | own 
Protect specific domains 
Action > User impersonation 
Action » Domain impersonation 
Safety tips > User impersonation On 
Safety tips > Domain impersonation 
Safety tips > Unusual characters 
Mailbox intelligence 
Mailbox Intelligence > Protection 
Mailbox intelligence > Action Move message to the recipients’ Junk Email foiders 


Spoof Spoof intelligence 
Unauthenticated sender >» ? symbol 
Action Move message to the recipients’ Junk Email folders 


panang Marinen ping rule =~ Sand fe 


FIGURE 1-25 Edit Your Policy Standard Anti-Phishing page 
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Lastly, you need to configure the Advanced Settings of the Anti-Phishing Policy. 
Click Edit next to Advanced Settings to open the Editing Advanced Phishing 
Thresholds window shown in Figure 1-26. 


Standard Anti-phishing 
Advanced setting Editing Advanced phishing thresholds 


we aggressive you want Office 365 to be in handling messages that might t 


FIGURE 1-26 Editing Advanced Phishing Thresholds 


Depending on the tolerance for false positives (in other words, emails not reaching the 
attended recipients), set this policy to the appropriate aggressiveness. One approach is 
to leave the settings at the default setting—1-Standard—and increase aggressiveness 
if there are false negatives. Repeat this process until the efficacy is acceptable. After set- 
ting the aggressiveness, click the Review Your Settings option on the left. 


The Review Your Settings page lists all the configuration settings made so far in the 
Advanced Settings wizard. You can edit any of the settings from this screen. When the 
settings are configured as desired, click Save to apply the Advanced Settings to the 
anti-phishing policy. 

Click Close to complete the configuration of the anti-phishing policy. 


Multiple anti-phishing policies can be created, as shown in Figure 1-27. 


FIGURE 1-27 Anti-phishing policies 


Anti-phishing policies can be enabled or disabled using the slider under Status. The 
Priority determines in what order the policies are applied. The policy with priority 0 is 
applied first, followed by the policy with priority 1, and so on. Once a policy's Applied 
To condition is met, no additional policies are processed. 
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MORE INFO ANTI-PHISHING POLICIES IN MICROSOFT 365 


Full documentation for the anti-phishing policies in Microsoft 365 can be found at 
https://aka.ms/sc200_antiphishpol. 


Attack Simulation Training 


Having a cybersecurity awareness program is an essential part to your overall plan to combat 
email-based attacks. Earlier in this chapter, we covered ways to prevent malicious emails from 
reaching users. But a good cybersecurity defensive posture demands that you examine every 
layer of your defenses and come up with a plan for how you will mitigate a threat that makes 

it through each layer. This raises the question, “How can | help end users not click everything 
that is delivered to their Inbox?” While this is a frustrating and constant battle, it is important to 
keep in mind that users do not have years of cybersecurity knowledge (which tends to result in 
having lots of skepticism). They need help separating good emails from an email that just does 
not seem right. This is the reason the Attack Simulation Training feature in Microsoft Defender 
for Office 365 was created. You can use this tool to send benign emails with suspicious quali- 
ties to train your users to look for signs that an email should be reported rather than interacted 
with (for example, clicking the link, opening the attachment, or gladly typing their corporate 
credentials into every web-based credential page). The Attack Simulation Training feature is an 
impressive improvement to the initial Attack Simulator that was released in 2019. 


Launching a simulation 

To create a new attack training simulation, you must be a member of one of the following roles: 
= Organization Management 
= Security Administrator 


a Attack Simulator Administrators 


NOTE SEPARATE ROLE GROUPS 


These are role groups in Office 365 and are separate from Azure Active Directory roles. 


Follow these steps to create a new simulation: 
1. Log in to https://security.microsoft.com. 


2. Under Email & Collaboration, click Attack Simulation Training, as shown in Figure 1-28. 
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Attack simulation training 


FIGURE 1-28 Create an attack simulation. 


Click Simulations > Launch A Simulation, which brings up the Select Technique step 
in the attack simulation creation wizard shown in Figure 1-29. 


gamane Select Technigue 


FIGURE 1-29 Creating an attack simulation 


Under Select Technique, choose the simulation technique you want to run against your 
users. For this simulation, choose Credential Harvest and click Next to bring up the 
Name Simulation page shown in Figure 1-30. 


° Name Simulation 


FIGURE 1-30 Add a Simulation Name and Description for the simulation. 
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5. 


Entera nameforthe simulation under Simulation Name and entera Description. Click 
Next to advance to the Select Payload page shown in Figure 1-31. 


° Select Payload 
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FIGURE 1-31 Select a payload for the simulation. 


Select a payload for the simulation. This is what will be used to bait the user for the 
Credential Harvest technique. You can sort the payloads by the Predicted Compro- 
mise Rate (%) column, which is calculated based on the compromised percentage of all 
Microsoft Defender for Office 365 customers. You can click Send A Test to the currently 
logged-in user to see the payload sample before you commit. Based on the 42 percent 
predicted compromise rate, select Payroll Work File Sharing and then click Next. 


In the Target Users page, you can choose to Include All Users In My Organization 
or Include Only Specific Users And Groups. In this case, select Include Only Specific 
Users And Groups and click Add Users to open the Add Users fly-out pane, as shown 
in Figure 1-32. 
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Add Users 


Search for Users or Groups 


FIGURE 1-32 Target users for the simulation. 


In the Add Users fly-out pane, there are some thoughtful suggestions on which users to 
target. For example, you can target Users Not Targeted By A Simulation In The Last 
Three Months or Repeat Offenders, which are users who continue to fall for the simu- 
lations. In this case, there is a user group created in Azure Active Directory to run the 
first simulation on pilot users. Once the desired user group is selected, click Add User(s) 
and then click Next to advance to the Assign Training page as shown in Figure 1-33. 


Assign Training 
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FIGURE 1-33 Assign Training 
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9. Assign Training is a welcome addition to the Attack Simulation Training feature. You 
can assign training to users who fall for the simulations by interacting with the email 
and/or payload. You can choose to use the Microsoft Training Experience, Redirect 
To A Custom URL (handy if you have a Learning Management System, or LMS), or No 
Training. For the Microsoft Training Experience option, you can then choose to allow 
the system to Assign Training For Me based on the technique and payload used or 
Select Training Courses And Modules Myself. A Due Date can also be set for when 
the training must be completed by the user. Click Next. 


10. On the Training Landing Page, you can see the text the user will see if they fall for the 
simulation. You can customize the Header and Body of the page and view a preview. 
Type the text you want the user to see and click Next. 


11. The last options to configure are the Launch Details for when you want the simulation 
to launch and when you want it to end. You can also select the option to Enable Region 
Aware Timezone Delivery so the simulation does not deliver to users outside your 
time zone during off-work hours, which might cause them to miss the email. Click Next 
to advance to the Review Simulation page, as seen in Figure 1-34. 


Review Simulation 


fava Smeation 


FIGURE 1-34 Review Simulation 


12. Review Simulation allows you to edit the settings you have configured thus far in the 
simulation. You can also choose Send A Test to ensure the simulation operates as you 
expect before unleashing it on your users. Once you are satisfied with the configuration, 
click Submit to finalize the simulation. 


Reviewing the Attack Simulation Training results 


You can track how the simulation is playing out by clicking the simulation name on the main 
page of the Attack Simulation Training dashboard. Figure 1-35 shows one user who was 
tricked into interacting with the payload by clicking the link and supplying their credentials. 
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FIGURE 1-35 Attack simulation results 


Attack Simulation Training settings 


The Attack Simulation Training feature settings are largely configured as part of the simula- 
tions, however there are some overall settings that are important to mention. 


In the Attack Simulation Training section, clicking Settings shows the following options, 


which are also shown in Figure 1-36. 


Attack simulation training 


Overview Simulations Payloads Automations Settings 


Repeat offender threshold 


Override the default value for calculating repeat offenders, the default is 
2. This number determines the number of simulations in a row in which 
a user is compromised to set the repeat offender flag on that user. 


Enable user training reminders 


Allow Microsoft to send training reminders to users, when their training 
is becoming due. 


Simulations excluded from reporting 


View all > 


@ of 


FIGURE 1-36 Attack Simulation Training settings 
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Repeat Offender Threshold is the number of consecutive simulations a user must 
fall for to be classified as a repeat offender. These users can be specifically targeted for 
simulations as mentioned previously. 


Enable User Training Reminders periodically emails users who have training due 
because they fell for a simulation and interacted with the simulation payload. 


Because you cannot delete simulations, Simulations Excluded From Reporting comes 
in handy if you have a simulation that is tainted for some reason (such as the URL was 
blocked by proxy) and you do not want this simulation to skew the reporting. 


MOREINFO GET STARTED USING ATTACK SIMULATION TRAINING 


Full documentation for the Attack Simulation Training feature can be found at 


https://aka.ms/sc200_attacksimtraining. 


Data protection, labeling, and insider risk 


Data and intellectual property are among the most valuable assets in a company. With data 
being accessed from virtually anywhere on any device, protecting these assets is key. Micro- 
soft 365 Compliance features allow you to scan for sensitive data types, apply sensitivity labels 
to the data, and protect the data so that only authorized users have access. These steps help 


protect honest users from accidentally oversharing data. 


Sensitivity labels 


Sensitivity labels allow for users to label their data according to company data handling 


policies. You can also auto label documents with a sensitivity label if they match your de- 
fined criteria. 


Follow these steps to create a sensitivity label: 


1. 


Log in to https://compliance.microsoft.com as a member of the Global Administra- 
tor role in Azure Active Directory. You can also use an account that is a member of the 
Compliance Data Administrator, Compliance Administrator, or Security Admin- 
istrator role groups. Note these are Office 365 role groups, and they are separate from 
Azure Active Directory roles. 

In the menu on the left side of the page, click Show All. 

Under Solutions, click Information Protection. 

On the Labels page, click Create A Label, which opens the New Sensitivity Label 
wizard shown in Figure 1-37. 

In the New Sensitivity Label wizard, provide a Name, Display Name, Description 
For Users, and Description For Admins. 


Select Files & Emails and click Next. 
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New sensitivity label 


@ Name & description Name and create a tooltip for your label 


FIGURE 1-37 Name & Description page in the New Sensitivity Label wizard 


Select Mark The Content Of Files and click Next. 


Select the content marking options you want to appear on files and emails classified 
with this sensitivity label and click Next. 


When auto-labeling files and emails, you want users to be able to choose their labels at 
first, so leave the auto-labeling option unselected and click Next. 


On the Define Protection Settings For Groups And Sites page, click Next. 


On Review Your Settings And Finish page, make sure the options are configured to 
your specifications, and then click Create Label. 


Click Done once the label is created. 


Before users can use the labels, you need to publish the label using Label policies. 


1. 


Select the label you created and click the Publish Labels button shown in Figure 1-38. 


Information protection 


FIGURE 1-38 Publish Labels 


On the Choose Sensitivity Labels To Publish page, make sure your label is listed and 
click Next. 


On the Publish To Users And Groups page, leave the default of All Users And 
groups, and click Next to open the Policy Settings page shown in Figure 1-39. 


Skill 1-1: Detect, investigate, respond, and remediate threats 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


31 


Policy settings 


Apply this label by default to documents and emad 


Policy settings 


FIGURE 1-39 Policy Settings 


On the Policy Settings page there are three options: 


m Users Must Provide A Justification To Remove A Label Or Lower Its Classifica- 
tion This setting is meant to force the user to type in a justification if they set the 
classification of the document to a less sensitive label or remove the label entirely. 


= Require Users To Apply A Label To Their Emails And Documents Before users 
can save documents or send emails, this option forces them to set a label. 


= Provide Users With A Link To A Custom Help Page This setting allows you to set 
up a help page for users to explain the various sensitivity labels and how to use them. 


Once you select the options desired, click Next. 


Under Apply This Label As The Default Label To Documents And Emails, choose 
the label you created. This ensures all emails and documents are labeled. 


On the Name Your Policy page, provide a Name and Description for the label policy, 
and then click Next. 


On the Review And Finish page, ensure the settings are as you want them and click 
Submit to create the label policy. 


Once the policy is created, click Done. 


Users can now use the sensitivity label you created to label their documents and emails. 


MOREINFO LEARN ABOUT SENSITIVITY LABELS 


For additional information about sensitivity labels, see https://aka.ms/sc200_sensitivelabels. 


Managing data loss prevention alerts 


One of the responsibilities of a data loss prevention administrator is to respond to alerts 
indicating sensitive data, such as customer credit card numbers, were exposed to parties 
unintentionally. 
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Follow these steps to review data loss prevention alerts: 


1. 


Log in to https://compliance.microsoft.com as a member of the Global Administra- 
tor role in Azure Active Directory. You can also use an account that is a member of the 
Compliance Data Administrator, Compliance Administrator, or Security Admin- 
istrator role groups. Note these are role groups in Office 365 and are separate from 
Azure Active Directory roles. 


In the menu on the far-left side of the page, under Solutions, click Data Loss Prevention. 


At the top of the page, click the Alerts tab (see Figure 1-40). 


iii Microsoft 265 compliance 


Home Data loss prevention 


Policies Alerts Endpoint OLP setting 


Fitter Z Reset 


Time range 3/26/2021 -4/26/2021 User Any Alon status: Amy Aert severity: Any 


FIGURE 1-40 Data loss prevention alerts 


In Figure 1-40, high-severity alerts are shown, indicating a DLP policy match. Click the 
first alert, and then click View Details to open the alert page shown in Figure 1-41. 


DLP policy match for document 'Book.xlsx' in OneDrive 
jawa = @ se 
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FIGURE 1-41 Data loss prevention alert overview 


Skill 1-1: Detect, investigate, respond, and remediate threats CHAP 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


33 


34 


This alert indicates that Sam Tarley shared a file named Book.x1sx from One Drive for 
Business. This file contains U.S. financial data in the form of credit card numbers. 
Under Other Alerts For This User, it appears that Sam has shared several other files 
with sensitive data in them. Once you have spoken to Sam, you can close this alert out. 


Under Manage Alert, set the Status to Resolved, assign the alert to yourself, and 
provide comments in the Comments text box; click Save. 


MOREINFO CREATE, TEST, AND TUNE A DLP POLICY 


For additional information about DLP policies and alerts, see https://aka.ms/sc200_dIppol. 


Insider risk 


Data leakage can also occur because of an insider threat. Insider threats are when a user with 
access to company data assets purposefully steals these assets for personal gain. The motiva- 
tions of these individuals vary. Following are some examples: 


m Adisgruntled employee looking to embarrass the company publicly 


= An employee who feels they are underpaid and who seeks to make money from selling 


company intellectual property to the highest bidder 


You can use insider risk management policies to generate alerts when activity is detected per 
the policy settings. Follow these steps to create an insider risk policy: 


1. 


Log in to https://compliance.microsoft.com as a member of the Global Administra- 
tor role in Azure Active Directory. You can also use an account that is a member of the 
Compliance Data Administrator, Compliance Administrator, or Security Admin- 
istrator role groups. Note these are role groups in Office 365 and are separate from 
Azure Active Directory roles. 


In the menu on the far-left side of the page, under Solutions, click Insider Risk 
Management. 


Click Policies > Create Policy. 


Under Choose A Policy Template, under Categories, select Data Leaks. Under 
Templates, select General Data Leaks and click Next. 


On the Name Your Policy page, provide a Name and Description for your policy, and 
then click Next. 


On the Choose Users And Groups page, select Include All Users And Groups and 
click Next. 


On the Specify Content To Prioritize page, leave the | Want To Specify Sharepoint 
Sites, Sensitivity Lables, And/Or Sensitive Info Types As Priority Content option at 
its default setting and click Next. 


On the SharePoint Sites To Prioritize (Optional) page, click Next. 
On the Sensitive Info Types To Prioritize (Optional) page, click Next. 
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10. On the Sensitivity Labels To Prioritize (Optional) page, click Add Or Edit Sensitivity 
Label. Select the sensitivity label you created earlier and click Next. 

11. On the Indicators And Triggering Event For This Policy page, under Choose Trig- 
gering Event, select User Performs An Exfiltration Activity. Under Policy Indica- 
tors, select all the indicators in each section and click Next. 

12. On the Decide Whether To Use Default Or Custom Indicator Thresholds page, 
select Use Default Thresholds For All Indicators, click Next. 

13. On the Review Settings And Finish page, ensure the selections made are as you need 
them and then click Submit. 

This policy will begin to assess the indicators configured in the policy and raise an alert if a 
user performs an exfiltration activity, such as downloading files from SharePoint or emailing 
a significant number of attachments outside the organization. 


MOREINFO INSIDER RISK MANAGEMENT IN MICROSOFT 365 


For additional information about insider risk management, see 
https://aka.ms/sc200_insiderisk. 


Investigate and remediate an alert raised by Microsoft 
Defender for Office 365 


Alerts raised from Microsoft Defender for Office 365 are viewed in the Microsoft 365 Defender 
Security portal at https://security.microsoft.com. They are aggregated into incidents and inves- 
tigated by the built-in Automated Investigation and Response technology. 
Following the steps below, you will triage and resolve an email security incident: 
1. Log in to https://security.microsoft.com as a member of the Organization Manage- 
ment or the Security Administrator role groups. 
2. Inthe menu on the far left, expand Incidents & Alerts and click Incidents to open the 
incidents page shown in Figure 1-42. 


Incidents ES Create a notification rule 


11 E 1day B® Choose columns 20 items per page Y Fiters 


Multi-stage incident on one endpoint reported by multiple sources = ve 4 ewestigation state 379 z 365 Defender, Office 36 ane 


FIGURE 1-42 Incident list view 


3. On the Incidents page, note one of the detection sources is Office 365. Click the inci- 
dent named Multi-Stage Incident On One Endpoint Reported By Multiple Sources 
to open the incident view, as shown in Figure 1-43. 
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@ Multi-stage incident on one endpoint reported by m... 


Summary 


Alerts and categories Scope 


9/9 active alerts 1 impacted device 
1 MITRE ATT&CK tactics 1 impacted user 
1 other alert categories 2 impacted mailboxes 


for 442.49 P| in progress 
Emai messages containing maiware removed after dedvery 
from 2 malibowes 


FIGURE 1-43 Incident details page 


This view tells you there are nine alerts in this incident, all falling into the Initial Access 
Stage of the MITRE ATT&CK Framework. Below the framework bar chart is a timeline 

of the alerts, starting with the alert that occurred first. The Scope shows the impacted 
assets are one device, one user, and two mailboxes. Click the Manage Incident link 
at the top-right of the page. 


The Manage Incident fly-out window allows you to assign the incident to yourself. 
This lets other incident responders know you are working on this incident. You can also 
change the name of the incident. Click the Assign To Me slider and click Save to assign 
the incident to yourself. 


Back on the incident page, click the Alerts section near the top of the page to view the 
alerts in this incident, as shown in Figure 1-44. 


© Multi-stage incident on one endpoint reported by m... 


FIGURE 1-44 Incident alerts view 


Alerts with the same title are grouped. Looking at the alert titles, it appears that an 
email with a malicious attachment was delivered to user mailboxes, and at least one of 
the users opened the attachment. Defender for Office 365 learned the attachment was 
malicious but only after this occurred. 
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At this point, you would typically begin searching mailboxes for this email and 
remove the messages. Thankfully, the Automated Investigation and Response feature 
in Defender for Office 365 has already found the messages and is waiting for your 
approval to remove them. 


Click the Investigations section to view the investigations for the incident shown in 
Figure 1-45. 
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FIGURE 1-45 Incident investigations view 


There are three investigations with the Microsoft Defender for Office 365 service source, 
and all are pending approval. Click the first investigation in the list to open the Inves- 
tigation Summary shown in Figure 1-46. 


Multi-stage incident e endpoint reported by multiple sources > Mail with malicious file is zapped - urrZappedFilelnwestigation:c3 Ibebcle43<196ceb5 3003728229017 


Q) Mail with malicious file is zapped - urn:ZappedFilelnvestigation:c31bebcfe43cf96ceb530... 
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FIGURE 1-46 Investigation Graph tab 


10. The investigation graph walks you through the steps taken by Automated Investigation 


to ensure that all the malicious emails were located and evaluated for malicious content. 
If malicious emails (including attachments) are found, they are marked Pending Action. 
Pending actions allow you to either approve or reject the recommended action for 
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11. 


each artifact. Click the Pending Actions section and then click the first pending action, 
as shown in Figure 1-47. 


EE I Ag eee a ata | Soft delete email messages 


Q) Mail with malicious file is zapped - urn:ZappedFilelm 


wall messages to the junk folder, of soft delete or hard 


mailbox 
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FIGURE 1-47 Pending Actions 


You can review each action that Automated Investigation wants to take to clean up this 
incident. In this example, this email was found to be malicious, and the pending action 
is to soft delete the email. It was originally delivered to the inbox, though the Zero- 
Hour Auto Purge (ZAP) action removed it post-delivery from the user's inbox and 
placed it in quarantine. You can click each of the Pending Action items and approve 
them manually, or you can click the Select All check box and approve them all as one 
object, as shown in Figure 1-48. 
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FIGURE 1-48 Approve all actions 
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12. Choose Select All > Approve. 
13. Inthe menu on the far left, click Action Center. 


14. The Action Center allows you to approve all pending actions and view the history of 
actions already approved or rejected, as shown in Figure 1-49. 
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FIGURE 1-49 Approve all actions in the Action Center. 


15. Click Select All, and then click Approve. 

16. Now that you have approved all the pending actions for this incident, the incident is 
ready to be marked as Resolved. Click back to the Incident. 

17. On the incident view, click Manage Incident to open the Manage Incident fly-out 
window, as shown in Figure 1-50. 


18. Click the Resolve Incident slider. Set the Classification to True Alert and select 
Malware under Determination. Provide Comments if necessary and click Save. 


MOREINFO REMEDIATION ACTIONS IN MICROSOFT DEFENDER FOR OFFICE 365 


For additional information about remediation actions in Defender for Office 365, see 


https://aka.ms/sc200_mdoremediate. 
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Manage incident 
Incident name 


Multi-stage incident on one endpoint reported by multiple sources 


Incident tags 


( ©) Assign to me 


Assigned To: jake@fespiresec.onmicrosoft.com 


( ©) Resolve incident 


Resolving an incident also resolves all the linked active alerts. 


Classification 


True alert NG 


) Incident classification will also be applied on linked alerts with no set classification 


Determination 


Malware v 


) Incident determination will also be applied on linked alerts with no set determination. 


Comment 


Snia 


FIGURE 1-50 Manage Incident 


Skill 1-2: Detect, investigate, respond, and remediate 
endpoint threats using Microsoft Defender for Endpoint 


Threats to endpoints have continued to become more sophisticated and harder to detect. 
Techniques like “living off the land,” which involves built-in operating system utilities to avoid 
detection, are increasingly being used. To meet this challenge, security teams invest millions 

of dollars in endpoint detection capabilities leading to multiple security agents running on 
endpoints. The increasing number of agents results in the negative effect of poor performance 
and patching troubles. 
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Microsoft Defender for Endpoint provides not only nekt-generation anti-virus (NGAV) and 
endpoint detection and response (EDR) but also additional capabilities, including: 


m 180 days of data retention stored in trusted Azure data centers 


m Antimalware coverage far beyond signature detections, powered by cloud protection 
and attack surface reduction 


= Tamper protection and detection 

m Manual response and Al-driven self-healing 

m Fast querying via advanced hunting 

m Threat and vulnerability management 

m Rich APIs and a partner ecosystem 

= Next-level threat Intelligence via threat analytics 

= Multi-platform coverage, including Mac, Linux, iOS, Android, and Windows 
m Opt-in targeted attack notifications through Microsoft Threat Experts 

m Integration with Intune and conditional access 


This list is not exhaustive and continues to grow as Microsoft Defender for Endpoint continues 
to release features at a blistering pace. 


MOREINFO MICROSOFT DEFENDER FOR ENDPOINT AND OTHER MICROSOFT SOLUTIONS 


For additional information about integration with other Microsoft solutions, see 
https://aka.ms/sc200_mdeintegrations. 


Configuring Microsoft Defender for Endpoint 

There are two main areas of Microsoft Defender for Endpoint that require configuration: 
= Configuration in the Microsoft 365 Security portal 
m Settings on the monitored endpoints 


The focus of this chapter will be on configuring Microsoft Defender for Endpoint in the 
Microsoft 365 Security portal. 


Setting up the Microsoft Defender for Endpoint subscription 


There are two critical settings to take note of when performing the initial subscription 
configuration of Microsoft Defender for Endpoint. These settings include: 


m Data location 


m Data retention period 
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Data location is selected during the initial subscription configuration and cannot be changed 
without offboarding all your endpoints and losing all your data. At the time of this writing the 
regions available are: 


m United States 
m European Union 
m United Kingdom 


You should check with your privacy officer to ensure you select the correct region to store your 
data. This list is for commercial offerings and does not include government offerings. 


IMPORTANT REGION CANNOT BE CHANGED! 


You cannot change the region your data is stored in once you configure your subscription 
without offboarding all endpoints and losing all data in the subscription! 


MOREINFO MICROSOFT DEFENDER FOR ENDPOINT DATA STORAGE AND PRIVACY 


More details on Microsoft Defender for Endpoint data storage and privacy can be found at 
https://aka.ms/sc200_mdeprivacy. 


The data retention period is also selected during initial subscription configuration. Unlike the 
data location, the retention period can be changed at any time, even after completing the 
subscription configuration wizard. The default retention period is 180 days (6 months) and 
can be changed to 30, 60, 90, 120, or 150 days. 


Once the subscription configuration wizard is complete, you can change the data retention 
period by performing the following steps: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles. 


2. Inthe menu on the left, click Settings > Endpoints. 
3. Under General, click Data Retention, as shown in Figure 1-51. 


4. Note that you cannot change the Data Storage location as previously mentioned 
(selections are unavailable). To change the Data Retention period, click the drop- 
down menu and select the number of days that is appropriate to your environment. 


5. When you are finished, click Save Preferences. 


MOREINFO SET UP MICROSOFT DEFENDER FOR ENDPOINT DEPLOYMENT 


Full details of the Microsoft Defender for Endpoint subscription configuration wizard can be 
found at https://aka.ms/sc200_mdeconfigwiz. 
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FIGURE 1-51 Data Retention selection for Microsoft Defender for Endpoint 


Role-Based Access Control 


Like all Microsoft enterprise Software as a Service (SaaS) offerings, Microsoft Defender for 
Endpoint uses Azure Active Directory for authentication and authorization. Initial configura- 


tion provides the following Azure Active Directory built-in roles access to the endpoint-specific 


data and settings in the Microsoft 365 Security portal: 
= The Global Administrators and Security Administrators roles have full access. 
m The Security Reader role has read-only access. 


Typically, this model is too rigid for larger companies, especially those with multi-tiered 
security operations teams. In these companies, each tier has set responsibilities and needs to 
have the least amount of privilege to carry out those responsibilities. Thankfully, Microsoft 
Defender for Endpoint's role-based security model was designed for various sizes of security 
teams. 


Roles in Microsoft Defender for Endpoint consist of two major parts: 


= Roles that provide Azure Active Directory groups with specific rights to Microsoft 
Defender for Endpoint data and settings. 


= Device Groups are used to segment enrolled devices so they can have Azure Active 
Directory groups and their roles assigned to them. 


This model allows for least privilege access to only the devices that the security analyst 
should possess. 
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IMPORTANT ACCESS LOSS 


Enabling roles will cause users with the Security Reader Azure Active Directory role to 


lose access to Microsoft Defender for Endpoint data and settings in the Microsoft 365 


Security portal. 


To enable roles, follow these steps: 


Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles. 


In the menu on the left, click Settings > Endpoints. 


Under Permissions, click Roles, as shown in Figure 1-52. 


Endpoints 
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FIGURE 1-52 Enabling roles for Microsoft Defender for Endpoint 


Note the Users With Read-Only Permissions Will Lose Access To The Portal Until 
They Are Assigned One Of The New Roles Through Their Azure AD Groups warn- 
ing. These are users who gained access via the Azure Active Directory Security Read- 
ers role. If you have users in this situation, you should create an Azure Active Directory 
group for these read-only users before you enable roles to get them back to being 
operational as quickly as possible. When you are ready, click Turn On Roles. 


Now that roles are enabled, the Microsoft Defender For Endpoint Administrator 


(Default) role is automatically created, which provides full rights to the endpoint data and 
settings (see Figure 1-53). 


This role can be used instead of the built-in Azure Active Directory Global Administrator 


or Security Administrator roles, which is ideal because these Azure Active Directory roles 
provide access beyond endpoint data and should be used sparingly. If a user needs full permis- 
sions to manage the endpoint data and related settings, they can be placed in this role. 
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Endpoints 


General 


Adá ten 


Permissions 


Roles 


FIGURE 1-53 Default role for Microsoft Defender for Endpoint 


To provide read-only rights to the endpoint data, create a role with read-only access using 
the following steps: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles. 


2. Inthe menu on the left, click Settings > Endpoints. 
3. Under Permissions, click Roles. 


4. Click the Add Item button and the fly-out menu will appear, as shown in Figure 1-54. 


2 Add role 


General Assigned user groups 


Role name 


FIGURE 1-54 Add Role fly-out window with permission list 
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5. Provide a Role Name and Description. 

6. For Permissions, notice you can provide the View Data permission for either Secu- 
rity Operations data, Threat And Vulnerability Management data, or both. This is 
important if your security operations team is separate from your threat and vulnerability 
management team. In this case, you want to allow both types of data, so leave them 
both selected. 

7. Click Assigned User Groups, as shown in Figure 1-55. 


A Add role 


General Assigned user groups 


Azure AD user groups with this role (1) 


Secups - Tier 1 


Clear filter 


Previous Save Cancel 


FIGURE 1-55 Assigned User Groups tab 


8. Because you likely have many security groups, you can type the partial name of the 
group in the text field, which will filter the list below. Secops was entered into this text 
box to filter the list for all groups containing “Secops” in the group title. Once you find 
the group or groups you need, select the box next to the Azure Active Directory group 
you want to assign the role to and then click the Add Selected Groups button. When 


you are finished, click the Save button. 
Secops-Tier1 user named Ryker now has read-only access to the endpoint data in the Micro- 
soft 365 Security portal. Note in Figure 1-56, Ryker can view data for the computer win10-1 but 


cannot perform any actions. 
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FIGURE1-56 Read-only access to the win10-1 endpoint 


EXAM TIP 


Be sure to know what rights to endpoint data and settings each permission provides. 


MOREINFO CREATE AND MANAGE ROLES FOR ROLE-BASED ACCESS CONTROL 


Full details of each permission can be found at https://aka.ms/sc200_mderbac. 


Under Device Groups, notice there are no groups currently, as shown in Figure 1-57. 


Endpoints 


General 


Organize devices into groups set automated remediation levels, and assign administrators. 


Data retention 


7 Choose columns 


Permissions 


Device arougs 


FIGURE 1-57 Device Groups 
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This is because no device groups have been created yet. Once we create a device group, 
a default group will be created in addition to the group we create. 


Without device groups, everyone who has permissions via a role will have those permissions 
over all onboarded devices. This may not be desirable, especially with sensitive devices, such as 
devices operated by executives of the company. Contoso has an executive support staff con- 
sisting of Mikey, Zach, and Dylan. They require access to the executive machines and should be 
the only ones with access. Because of this, you need to keep Ryker in Tier 1 from having access 
to these endpoints. You have already created the Executive Support role for the three executive 
support staff members and added the Azure Active Directory group. Now you need to create a 
device group for these executive devices. 


To create a device group, follow these steps: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles. 


2. Inthe menu on the left, click Settings > Endpoints. 


3. Under Permissions, click Device Group, and then click Add Device Group to open 
the fly-out menu shown in Figure 1-58. 


= Add device group 


General User access 


FIGURE 1-58 Add device group fly-out menu 
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4. Inthe Add Device Group fly-out menu, type a Device Group Name, choose an 
Automation Level, and type a Description. 


5. Inthe Members section, devices can automatically be placed in this device group based 
on these values: 


m Name Name of the device 

= Domain Active Directory domain name the device is a member of 
m Tag A label that is assigned to the device 

m OS Operating system that runs on the device 


The Name, Domain, and Tag values support Starts With, Ends With, Equals, and 
Contains operators. Note these conditions are Boolean AND conditions. For the device 
to be placed in this Device group, it must meet all the conditions you specify in the 
Value text box. You can use the Executive value for Tag. 


6. Preview Of Members allows you to see up to 10 devices that will be placed in this 
device group based on the Members logic. 


7. Click the User Access tab at the top of the Add Device Group fly-out menu, as shown 
in Figure 1-59. 


= Edit device group 


General User access 


nis device group. To be given access, a 


administrator role have access to all 


Azure AD user groups with access to this device group (0) 


FIGURE1-59 User Access tab 
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8. Click the check box next to Executive Support, click the Add Selected Groups button, 
and then click Done. 


9. You should now be on the Device Groups page shown in Figure 1-60. 


Endpoints 
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FIGURE 1-60 Applying or discarding changes 


10. You will see a warning at the top of the page indicating that you need to Apply Chang- 
es or Discard Changes. Click Apply Changes. 


Once you click Apply Changes, a message with a green background appears where the 
warning was once located indicating that it will take a bit of time to apply the changes; once 
the changes are complete, the message disappears. You should now see two device groups— 
the one you created for Executive Machines and one you did not create called Ungrouped 
Devices (Default). They are ranked 1 and Last, respectively, as seen in Figure 1-61. 


Endpoints 


General 


$ Add device group T3 Choose cohemns 


Device groups 


FIGURE 1-61 Device Groups list 
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Devices are placed in device groups starting with groups with the lowest rank then work- 
ing their way down. Once the device meets the criteria for a device group per its criteria, the 
device becomes a member of that group, and processing for that device stops. Therefore, it is 
important to put the most specific device group (such as those that match tags) at the top and 
place less-specific device groups (such as those that match domains) toward the bottom. The 
Ungrouped Devices (Default) is the “catch-all” device group that is created by default once 
you create a device group. This device group contains all devices that do not match a criterion 
in the device groups you create. You can change the rank of the device groups by selecting the 
device group you want to change and clicking either the Promote Rank or Demote Rank but- 
tons shown in Figure 1-62. 


Organize devices into groups, set automated remediation levels, and assign administrators 


T Promote rank | Demoterank [i] Delete 1 Selected XC 


iv} 1 Executive Machines f: No automated response Machines used by Contoso executives Executive Support 


FIGURE 1-62 Promote Rank or Demote Rank buttons 


With the changes complete, Mikey, Zach, and Dylan on the executive support staff are the 
only users with access to the executive devices. 


MOREINFO ADVANCED RBAC EXAMPLE 


See the following blog for an advanced RBAC use case: https://aka.ms/sc200_mderbacadv. 


Alert notifications 


It is assumed that the security operations team has better things to do than to stare at a 
dashboard all day, waiting for something to happen. So how will they know when alerts are 
triggered in Microsoft Defender for Endpoint that need their attention? The Email notifications 
feature in Microsoft Defender for Endpoint can send emails based on alerts that are generated. 
These notifications are created through rules which can be customized to send alerts to differ- 
ent email addresses based on their severity and Device group affected. 


To receive Alert notifications, follow these steps: 


1. Log in to https://security.microsoft.com as a member of the Azure Active Directory 
Global Administrator or Security Administrator roles or as a member of an Endpoint 
role with the Manage Security Settings permission. 


2. Inthe menu on the left, click Settings > Endpoints. 


3. Under General, click Email Notifications. 
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4. 


On the Alerts page, click Add Item to bring up the New Notification Rule fly-out 
menu shown in Figure 1-63. 


EI New notification rule 


General Recipients 


Next Cancel 


FIGURE 1-63 New Notification Rule 


In the Rule Name field, type Tier 1 Alerts. 


Options for Include Organization Name, Include Organization-Specific Portal Link, 
and Include Device Information allow you to choose what items you want to appear 
in the email body. While you might wonder why you wouldn't include this information 
by default, you might want to limit this information for privacy reasons given that emails 
can be forwarded. 


Under Devices, select Notify For Alerts On All Devices, though if you plan to notify 
different email addresses based on different device groups, choose Notify For Alerts 
On Selected Device Group and choose the device group(s) to use for this notifica- 
tion rule. Also, select Notify For Alerts On All Devices since this is going to the Tier 1 
security operators. 
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8. Alert Severity allows you to choose what severity the alert must be to trigger this 
rule. Click Check/Uncheck All to select all severities and click Next to advance to the 
Recipients settings shown in Figure 1-64. 


Recipients 


Recipient email address 


5 tier@fespiresecurity.onmicrosoft.com X Remove 


@ Test email sent successfully 


FIGURE 1-64 Recipients tab 


9. On the Recipients tab, in the Recipient Email Address field, type in the email 
addresses that you want to be emailed with this alert notification rule is matched and 
click Add. Also, you can also click Send Test Email to preview your settings for the rule. 


10. When you are finished, click Save. This returns you to the Email Notifications page. 
Note there is also a Vulnerabilities page where you can add notification rules when new 
vulnerabilities are found in the endpoint environment. 


MOREINFO CONFIGURE ALERT NOTIFICATIONS 


See the following article for more information on configuring notifications: 
https://aka.ms/sc200_mdenotify. 


Advanced settings 


Microsoft Defender for Endpoint'’s sensor is used for more than just Endpoint Detection and 
Response (EDR). Features are being added constantly, and they can be enabled or disabled 
based on your needs. To enable or disable the advanced capabilities, follow these steps: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles or as a member of a Microsoft 
Defender for Endpoint role with the Manage Security Settings permission. 


2. Inthe menu on the left, click Settings > Endpoints. 
3. Under General, click Advanced Features. 
There are two types of advanced features: 
= Endpoint features Enable or disable Microsoft Defender for Endpoint capabilities. 


= Integration features Allow for data sharing between other Microsoft products, such 
as Intune, Microsoft Cloud App Security, and the like. 
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Following are examples of Endpoint features: 


Automated investigation The auto-remediation capability that responds to alerts 
and attempts to return the endpoint back to a healthy state. 


Automatically resolve alerts |f automated investigation can return an endpoint to a 
healthy state, it will automatically mark the alert as being resolved, so incident respond- 
ers know it was dealt with. 


EDR in block mode Enables Defender to block attacks even when there is a third- 
party anti-virus agent installed. 


Live Response and Live Response for Servers Allows for an incident responder to 
open a limited interactive shell with an endpoint. 


Allow or block file Uses cloud Protection to allow or block files on endpoints. 
Preview features Allows your subscription to receive features before they become 
generally available. 


Microsoft threat experts Allows Microsoft human hunters pseudonymized access 
to your endpoint data, so that in the event of a breach, these hunters can send targeted 
attack notifications (TANs) alerts into your tenant to draw your security operations 
team’s attention to the incident. 


Examples of integration features include the following: 


Show user details Allows Microsoft Defender for Endpoint to call into Azure Active 
Directory to fill out user information such as job title, department, name, and so on. 


Microsoft Cloud App Security Network data relating to the cloud application access 
can be shared with Cloud App Security for discovery. Also, it allows for blocking unsanc- 
tioned cloud apps. 


Microsoft Defender for Identity integration Shares Endpoint data with Microsoft 
Defender for Identity to improve detections, enhance identity pages, and provide 
additional evidence in incidents. 


Share Endpoint alerts with Microsoft Compliance Center Allows risk officers to 
view Endpoint alerts in the Microsoft 365 Compliance portal and enhances insider risk 
insights. 


Microsoft Intune Connection This setting shares the onboarding information with 
Microsoft Intune to onboard devices into Microsoft Defender for Endpoint, as well as 
shares the device's risk score. Intune uses this risk score to mark a device as being com- 
pliant or not compliant, based on your risk compliance policy settings in Intune. 


MOREINFO CONFIGURE ADVANCED FEATURES IN DEFENDER FOR ENDPOINT 


See the following article for more information on configuring advanced features: 
https://aka.ms/sc200_mdeadvfeatures. 
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Respond to incidents and alerts 

Now that Microsoft Defender for Endpoint is configured, it is time to look at how to investigate 
endpoint-related alerts and incidents. There are built-in simulations that you can use to gener- 
ate benign alerts and incidents; just be sure to run the simulation in a test environment, so you 
can avoid an unpleasant conversation with your company’s security operations team! 


You need to train your security operations team on how to triage alerts and incidents using 
Microsoft Defender for Endpoint. The simulation you can use to practice responding to alerts 
and incidents can be accessed by following these steps: 


1. 


2. 


Log in to https://security.microsoft.com as any user who has at least the View Data 
permissions for Endpoint data. 

Under Endpoints, expand Evaluation & Tutorials and click Tutorials & Simulations 
to bring up the Simulations & Tutorials page shown in Figure 1-65. 


iii Microsoft 365 Defender 


Simulations & tutorials 


Simulations T 


Microsoft 
EE Microsoft EE Microsoft 


Document drops backdoor Automated investigation (backdoor) 


FIGURE1-65 Simulations & Tutorials 


Click the Get Simulation File button under the Automated Investigation (Backdoor) 
Simulation in the Microsoft section. 

Once the file downloads, click the Learn More button to open the guide for this 
simulation. 

Follow the guide for how to run the simulation, it includes the password necessary to 
open the file and instructions for how to enable the macro that carries out the benign 
attack. It will take a few minutes for the alerts to populate and for the automated inves- 


tigation to complete. 
To investigate the incident, select Incidents & Alerts in the menu on the left, and then 


click Incidents. 
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10. 


11. 
12. 


You will see an incident titled Multi-Stage Incident Involving Initial Access & Persis- 
tence On One Endpoint, as shown in Figure 1-66. 


Incidents 


FIGURE 1-66 Incidents view in Microsoft 365 Security portal 


Expand the incident by clicking the icon next to the Incident Name. Note that there 
are multiple alerts in this incident. While it is possible to manually associate alerts with 
incidents, in Microsoft 365 Defender, there are machine-learning models and detec- 
tion logic running against all alerts that are ingested. Alerts that the machine-learning 
model believes are related will be grouped into a single incident. This is important be- 
cause it starts to formulate an attack story for the incident responder, instead of relying 
on the incident responders to draw this correlation for themselves. 


To view more information on this incident, you can click the bubble to the left of the 
incident noted by the arrow in Figure 1-67 to open the incident fly-out menu. 


Incidents 
Multi-stage incident involving Initial access & 
Persistence on one endpoint 


Most recent incidents and alerts 


FIGURE 1-67 Selecting an incident 


Click Assign To Me. A pop-up window will appear indicating that the incident and all 
alerts in the incident will be assigned to you. Click Assign To Me in that pop-up. This is 
a quick way to take ownership of an incident and all linked alerts, which lets your fellow 
security operators know that you are working this incident. 


From the fly-out page, click Open Incident. 


You are now viewing the incident with all the associated alerts, starting with the 
Summary view. The goal of this view is to ensure the incident responder has as much 
information as needed to determine if the incident can be resolved or if it requires more 
investigation. If it requires more investigation, additional details are all available in this 
view as shown in Figure 1-68 to assist in formulating the incident response plan. 
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FIGURE 1-68 Viewing the incident summary 


13. First, look at the Alerts And Categories section shown in Figure 1-69. 
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FIGURE 1-69 Alert timeline and MITRE ATT&CK mapping 
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14. Alerts And Categories is a vertical list of alerts in chronological order, with the top 
alert occurring first in the chain of alerts. Above the vertical list are the alerts mapped 
to the MITRE ATT&CK framework showing what stages of the framework the alerts in 
this incident apply to. The bars signify each stage of the framework; hovering over the 
bars will show you what stage has alerts and how many alerts are in that stage. 


MOREINFO MITRE ATT&CK FRAMEWORK 
More information on the MITRE ATT&CK Framework can be found at https://attack.mitre.org/ 


15. Next on the summary screen you see the Scope and Evidence that are involved in this 
incident. Under Scope, the individual devices and users can also be seen by clicking the 
applicable Devices and Users sections, as indicated by the arrows in Figure 1-70. Under 
Evidence, you can click the View All Entities link to see the files, processes, IP address- 
es, and other evidence related to this incident. 
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FIGURE 1-70 Alert timeline and MITRE ATT&CK mapping 


16. Click the Alerts section. 

17. In the Alerts section, you can see a list of alerts that make up this incident. Note how 
the first alert-—Suspicious PowerShell Command Line—has several entries, and they 
are grouped under a single entry. This is so you can manage alerts resulting from the 
same detector logic as a single entity or as separate artifacts. 

18. Select the bubble next to the first Suspicious PowerShell Command Line alert. A fly- 
out page showing additional information about this alert appears, as shown in Figure 1-71. 
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19. 


Suspicious PowerShell command line 
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FIGURE 1-71 Selected alert fly-out page 


You can classify the alert as a True Alert or False Alert (or in other words, “true-positive” 


or “false-positive”), which you can use for reporting. This also feeds back into the 
detector logic in Microsoft Defender for Endpoint and helps Microsoft determine the 
signal-to-noise ratio of each detector, which is used to measure how effective it is 
and whether it should be optimized. 

Status allows you to set the alert to In Progress or Resolved, which can also be used 
for reporting and to let other incident responders know the status of the alert. 


TIP SET CLASSIFICATION AND STATUS ON AN INCIDENT 

When possible, set the Classification and Status on an incident versus the individual 
alerts in the incident. Once an incident is classified and the status is set, all alerts in the 
incident will adopt those settings. This will minimize the amount of overhead when man- 


aging incidents and alerts. 


20. On the fly-out page, click Open Alert Page. 


21. The alert page shows you all the information available for the alert, as shown in Figure 1-72. 
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23. 


24. 


25. 


powershell.exe 


FIGURE 1-72 Alert page 


At the top of the page, there is a breadcrumb trail of where you were before you 
clicked this alert. This is consistent in the Microsoft 365 Security portal to ensure you 
keep your place in your investigation and can quickly backtrack if necessary. There is 
also a View Incident Page link that will return you to the incident that alert is part of. In 
the Alert Story, you can see the process tree as well as the alert and which event in the 
process tree triggered the alert. In this case, the Suspicious PowerShell Command 
Line alert was triggered because of the partially obfuscated command line. 


Click the Suspicious PowerShell Command Line item and notice how the pane on the 
right changes. As you click each entity, the pane on the right shows additional informa- 
tion about the entity you have selected in the Alert Story. 


With the Suspicious PowerShell Command Line item selected, click the ellipsis (...) 
indicated by the arrow in Figure 1-73. 


Clicking See In Timeline allows you to pivot from this alert to the device timeline for 
when this event occurred, triggering the alert. This is helpful when you want to see what 
events happened around the time the alert occurred. Clicking Consult A Threat Expert 
sends this alert to a Microsoft Threat Expert to ask a question, though it is important to 
note this is an additional service you must pay for on top of your license cost. 
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A suspicious PowerShell activity was observed on the machine. 

This behavior may indicate that PowerShell was used during 
nstallation, exploration, or in some cases in lateral movement activities 
which are used by attackers to invoke modules, download externa’ 
payloads, or get more information about the system, Attackers usually 
use PowerShell to bypass security protection mechanisms by executing 
their payload in memory without touching the disk and leaving any 
trace. 


Alert recommended actions 


FIGURE 1-73 Alert page 


Click Create Suppression Rule when there is an EDR sourced alert that is a benign 
true positive in your environment. A benign true positive is an alert that is a true alert, 
though it is a normal operation in your environment and can safely be ignored. A theo- 
retical example of this would be a medical application that uses PowerShell to download 
its application updates encoded in Base64. More than likely, this will raise an alert, and 
while this is certainly not the best way to do software updates, it is normal operation for 
the application, so the resulting alert is a benign true positive. 
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27. Click Create Suppression Rule, which opens the menu shown in Figure 1-74. 


28. 


29. 


Create suppression rule 


Name * 


è alert Susp s PowerShell command line on Executive Machines 
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FIGURE 1-74 Create Suppression Rule for an alert 


Great care must be taken when creating suppression rules because they are effectively 
muting detections in your environment. Like exclusions in an anti-virus program, sup- 
pression rules should be created with criteria that is as specific as possible. To illustrate 
this point, you are creating a suppression rule that involves powershell.exe. It is possible 
to suppress all alerts related to powershell.exe, though this would be a very bad idea 
because it would create a major blind spot in your detections! 


Suppression conditions can be used to increase the specificity on the suppression rule. 
In this case, coupling the command line with the file name and folder path should pro- 
vide criteria that are specific enough to make this suppression rule as safe as possible. 
Note that SHA1 is not selected because the SHA1 of Powershell.exe will change each 
time it is patched. 
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33. 
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NOTE SECURE HASH ALGORITHM 1 (SHA1) 


The SHA}, or Secure Hash Algorithm 1, is a cryptographic hash that is calculated for the 
file. If two files have the same SHA1, they are considered identical. 


Under Action, you can select either to Hide Alert or Resolve Alert. If you do not want 
to see the alert at all, select Hide Alert. If you want to see the alerts but have them set to 
be resolved automatically, choose Resolve Alert. 


Scope is another great way to limit your exposure in a suppression rule. You can con- 
figure the suppression rule to only apply when an endpoint in a device group is the 
machine the alert involves. If there is only one endpoint that should run this type of 
command, you can scope the suppression rule to the individual endpoint. 


Name and Comment help you document the suppression rule. It is a best practice to 
add as much information in the Comment text box as possible. In this case, because 
Contoso uses a change management system to track changes performed in their pro- 
duction environment, the change ID that documents this change was added. 


Do not save this suppression rule; instead, click Cancel to return to the alert. 


Back on the Alert page, click the ellipsis (...) menu next to the device object near the 
top of the page, as shown in Figure 1-75. 
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FIGURE 1-75 Device action menu 


Skill 1-2: Detect, investigate, respond, and remediate endpoint threats 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


63 


35. Below are descriptions for each option: 
= Open Device Page This will pivot the view from the alert page to the device page. 


m Device Value You can set a value on devices as High, Normal, or Low based on 
the importance of the device. For example, domain controllers could be marked 
High because they should be one of the most protected assets in your network. 
Executive officer machines are another example on which you would want to set 
a value. This setting also affects your organization's exposure level score based on 
the findings on these devices. Exposure scores will be covered in the “Managing risk 
through security recommendations and vulnerability management” section later in 
this chapter. 


m Manage Tags Allows you to add or remove tags from the device. 
= Run Antivirus Scan Runs either a quick or full scan on the device. 


= Collect Investigation Package Various preprogrammed scripts and commands 
run on the device that collect items like registry keys, scheduled tasks, DNS cache, 
and the like. This information is zipped and uploaded to the portal for download by 
an incident responder. 


= Restrict App Execution Applies a code integrity policy on the device to only allow 
Microsoft applications to run, which helps stop malicious binaries from running. 


= Initiate Automated Investigation Manually kick off the artificial intelligence- 
driven Automated Investigation process on the device. Typically, automated investi- 
gations are initiated by supported alert types. 


m Initiate Live Response Session Starts a live response session with the device. 
m Isolate Device Instructs the Windows Firewall to block all inbound and outbound 


traffic to and from the device except for communications with the Defender for 
Endpoint cloud service. 


= Consult A Threat Expert This option allows you to submit a question about this 
device to the Microsoft Threat Experts (MTE) service. For example, if you thought this 
device showed suspicious behavior but were not sure, selecting this option will send 
a request to an MTE team member. 


NOTE MICROSOFT THREAT EXPERTS (MTE) 


The Microsoft Threat Experts (MTE) Consult A Threat Expert service is a purchased 
service and is not covered on the exam. 


= ActionCenter Review what actions were performed on the device, such as Isolate 
Device, Collect Investigation Package, and so on. 


36. Click the View Incident Page at the top of the alert page to return to the incident. If 
needed, you can return to the incident by clicking Incident & Alerts on the left. 
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37. Click the Investigations section and then click the bubble next to Powershell 
Dropped A Suspicious File On The Machine Triggering Alert. Click Open 
Investigation Page, as shown in Figure 1-76. 


Lage mader imciveg Inbal access & Peeustence cn one endpant Powershell dropped a suspicious file on the machine 


o Multi-stage incident involving Initial access & Per... 
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FIGURE 1-76 Open investigation page 


38. You now see the Investigation Summary page shown in Figure 1-77. 


a Powershell dropped a suspicious file on the machine 


Lavestigation Summary mengaten gah 


FIGURE 1-77 Investigation graph 
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39. The Investigation Summary page shows the investigation that was started automati- 
cally by the Automated Investigation self-healing technology in Defender for Endpoint. 
The investigation graph is best read in a counterclockwise direction, starting with the 
top-most element, Alert Received. The investigation graph shown here tells you the 
following things: 


= PowerShell Dropped A Suspicious File On The Machine is the alert that triggered 
the investigation. Also, there is one correlated alert, which you can see by clicking 
the Alerts section above the investigation graph. 


m One device is involved in the investigation: WIN10-1. 
m To determine how to get the device healthy again, 3,698 Entities were analyzed. 


m Entities analyzed were composed of files, processes, services, drivers, IP addresses, 
and persistence methods. 


= Based on the entities analyzed, two entities were found to be malicious. 


Clicking each icon in the Investigation graph will take you to the respective sections 
above the graph. 


40. Click the Evidence icon, which looks like a bug. 


41. In the Evidence list, click the entity named winatp-intro-backdoor.exe. This will open 
the File fly-out menu shown in Figure 1-78. 


winatp-intro-backdoor.exe 


|; os [zsa 


FIGURE 1-78 File menu 
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42. This fly-out page provides detailed information about this file, including file hashes, 
worldwide prevalence, file path, file size, and more. Click Open File Page at the top of 
the File fly-out menu. 


43. 


44. 


On the File Page, you can see all the information Defender for Endpoint has on this file. 
You can also take the following actions: 


Stop And Quarantine File Stops this file if it is running on any endpoint and quar- 
antines the file. 


Add Indicator Add this files SHA2 to the file indicators list. Indicators are files, 
IP addresses, URLs, or code-signing certificates that you want to block or allow in 
your environment. 


Collect File / Download File Allows you to collect the file from an endpoint that 
has the file and download it from the portal. Either the Collect File or Download 
File option will be displayed, depending on whether the file is present in your sub- 
scription. If Download File is shown, more than likely, the file has been collected in 
the past and is present in your Defender for Endpoint tenant. If Collect File is shown, 
the file has not been collected and needs to be retrieved from an endpoint. Once 
the file is available for download, you can use Download File, which will prompt you 
for a password. The password will be used for the zip archive that the file is placed in 
before being downloaded to your machine. 


Consult a Threat Expert This option allows you to submit a question about this 
file to the Microsoft Threat Experts (MTE) service. For example, if you thought this 
file showed suspicious behavior but were not sure, selecting this option would send 
a request to an MTE team member. This is a service that must be purchased and is 
not covered on the exam. 


Action Center Allows you to see what actions have been performed on this file 
and the status of the action. 


Click the PowerShell Dropped A Suspicious File On The Machine text at the top of 
the screen to return to the investigation shown in Figure 1-79. 
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46 


Q Powershell dropped a suspicious file on the machine 
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FIGURE 1-79 Investigation Summary 


At the left under Investigation Details, you see that the Status is Remediated. 


Earlier in this chapter, you learned about remediation levels, which are configurable on 
device groups. In this example, the device is configured for fully automated remedia- 
tion, meaning any pending actions resulting from an investigation will automatically be 
approved. You can see the remediation level by clicking the device icon in the investi- 
gation graph, which takes you to the Devices tab shown in Figure 1-80. 


Q Powershell dropped a suspicious file on the machine 


Investigation Summary | “ - wen 


omnes 


FIGURE 1-80 Devices tab 
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47. 


48. 


49. 


In the list of devices, you see that WIN10-1.CONTOSO.COM has a Remediation Level of 
Fully Automated. 


Because Automated Investigation retuned this device back to healthy by removing the 
threats, you can now close this incident. 


Click the incident name Multi-Stage Incident Involving Initial Access & Persistence 
On One Endpoint at the top of the page. You can also access this incident using the 
Incident menu item under Incidents & Alerts on the far-left menu. 


Once you are on the incident page for this incident, click the Manage Incident option 


in the upper-right portion of the screen. This will bring up the Manage Incident fly-out 
menu, as shown in Figure 1-81. 


Manage incident 


Incident name 


Incident tags 


res all the linked active alerts 


Classification 


Determination 


FIGURE 1-81 Manage Incident 
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51. Click the toggle switch next to Resolve Incident. This will change the status of the inci- 
dent and all alerts in the incident to Resolved. 


52. Select True Alert as the Classification. 
53. Under Determination, you have the following options: 


= APT Advanced Persistent Threat indicates this incident is related to an attack by a 
known actor. 


= Malware Incident was caused by malware. 


= Security Personnel A member of the security team triggered this incident on their 
own machine. 


= Security Testing Indicates this incident was part of a security simulation. Choose 
this option. 


= Unwanted Software The incident was caused by software that should not run on 
the machine. 


m Other Select if this incident does not match any of the previous determination options. 


IMPORTANT DETERMINATION SETTING 


The Determination setting will be applied to the incident and any linked alerts to the 
incident that do not already have a determination set on the individual alert. 


54. Type comments in the Comment text box. Adding comments is optional, but it is help- 
ful to document your findings while investigating the incident. Other security respond- 
ers can see the findings and add additional information if applicable. 


55. Once you complete your comment entry, click Save. 


Congratulations, you have now triaged your first incident in Microsoft Defender for Endpoint! 


Creating custom detections 


While there are many built-in detections in Microsoft Defender for Endpoint, most security 
operations teams need the ability to create custom detections. There are three ways to gener- 
ate custom detections: 


m Generate custom indicators 
m Generate custom detection rules using Advanced Hunting 


= Create an alert API 


MOREINFO CREATING AN ALERT API 


Typically, custom detection rules and custom indicators are used to create custom detec- 
tions. Creating an alert API is not covered on the exam, though more information can be 
found at https://aka.ms/sc200_mdealertapi. 
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Custom detection rules using Advanced Hunting 


Advanced Hunting is one of the most popular features in Microsoft Defender for Endpoint. It 
provides lightning-fast query response time against up to 30 days of data, even in environ- 
ments with millions of endpoints onboarded. The query language you use to search your data 
in Advanced Hunting is called Kusto Query Language, or KQL. If you have used Azure services 
such as Log Analytics in the past, you already have some exposure to KQL. Advanced Hunting 
can be used for ad-hoc queries against your data, which is typically how custom detections 
start out. 


MOREINFO LOG ANALYTICS QUERIES 


Microsoft hosts a GitHub repository that is filled with great queries to get you started: 
https://GitHub.com/microsoft/Microsoft-365-Defender-Hunting- Queries. 


At this Advanced Hunting GitHub, there is a KQL query we can use to detect WMI deletions 
of shadow-copy snapshots. This is a technique usually seen in correlation with Ransomware. 
Shadow-copy snapshots are removed prior to encryption so that recovery using these snap- 
shots is not possible. Here is the KQL query: 

DeviceProcessEvents 
| where FileName =~ "wmic.exe" 
| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete" 


| project DeviceId, Timestamp, InitiatingProcessFileName, FileName, 
ProcessCommandLine, InitiatingProcessIntegrityLevel, InitiatingProcessParentFi leName 


This query is explained by the following pseudocode: 


"Check the DeviceProcessEvents table for event entries where the process file name is 
like wmic.exe and where the process command line has the strings shadowcopy and delete. 
Once this data is found, show the DeviceID, Timestamp, InitiatingProcessFileName, 
FileName, ProcessCommandLine, InitiatingProcessIntegrityLevel, and 
InitiatingProcessParentFileName." 


Now that you understand what this query is doing, you will create a custom detection using 
this query and by following these steps: 


1. Log in to https://security.microsoft.com as a member of the Azure Active Directory 
Global Administrator or Security Administrator roles or as a member of an Endpoint 
role with the Manage Security Settings permission. 


2. Inthe menu on the left, click Hunting > Advanced Hunting. 


3. By default, the Get Started section is shown on the right. You can go through the exer- 
cises or click the Query section to change to the query editor. On the left is the schema 
for advanced hunting, as shown in Figure 1-82. 
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Email 
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FIGURE 1-82 Advanced Hunting schema 


The three dots next to each table opens the schema reference for that table. Hovering 
over the fields pops up a description for the field. 


Type the following query into the query window. Note KQL is a case-sensitive language. 


DeviceProcessEvents 

| where FileName =~ "wmic.exe" 

| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete" 
| project DeviceId, Timestamp, InitiatingProcessFileName, FileName, 
ProcessCommandLine, InitiatingProcessIntegrityLevel, 
InitiatingProcessParentFi leName 


Notice when you type, you are assisted by autocomplete. 
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5. Tomake sure the query syntax is error free, click Run Query. 


You probably will not get any results in your environment, which is okay. To create a 
custom detection, the query does not need to return results initially. 


TIP DON'T QUERY TOO OFTEN 


You do not want a query to return results too often because the custom detection will 
generate too many alerts. 


6. Click the Create Detection Rule option in the upper-right corner of the query window, 
which displays the error shown in Figure 1-83. 


The query does not return the following columns that are required 
to create a detection rule: 
2) Timestamp 


® Reportid 


FIGURE 1-83 Error when creating a custom detection 


7. This happened because we did not add the ReportId field to the project statement 
in the query, which is required to be in the returned fields for a custom detection. 
Timestamp, ReportId, and a field that represents a specific device, user, or mailbox 
are all required for custom detections. 


8. Modify your query to add ReportId to the project line, as shown below: 


DeviceProcessEvents 

| where FileName =~ "wmic.exe" 

| where ProcessCommandLine has "shadowcopy" and ProcessCommandLine has "delete" 
| project ReportId, DeviceId, Timestamp, InitiatingProcessFileName, FileName, 
ProcessCommandLine, InitiatingProcessIntegrityLevel, 
InitiatingProcessParentFi leName 


9. Click Run Query to make sure you do not have syntax errors and then click Create 
Detection Rule. 


10. The following fields are shown in the Create Detection Rule wizard, as well as in 
Figure 1-84. 
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Create detection rule 


© Net deeate i 
Alert details 


FIGURE 1-84 Create Detection Rule wizard, Alert Details 


m Detection Name A name for the detection. 


m Frequency This is how often the custom detection rule will run. The choices are 
Every 24 Hours, Every 12 Hours, Every 3 Hours, or Every Hour. The more often 
your custom detection rule runs, the smaller the window of time it will look back. In 
Figure 1-84, Every Hour has been chosen. 

= Alert Title This is the title of the alert you will see in the alert view. 

m Severity This is the severity of the alert. The choices are High, Medium, Low, and 
Informational. Choose High because this is ransomware-related and needs to be 
triaged as fast as possible. 

m Category This is the type of activity that best matches this alert. Choose Ransomware. 

= Description This is a description for the custom detection rule. 

m Recommended Actions This instructs the incident responder regarding the steps 
to take for triaging and resolving this alert. 
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11. Click Next to advance to the Impacted Entities page shown in Figure 1-85. 


Create detection rule 
o ws 
Impacted entities 


FIGURE 1-85 Impacted Entities 


12. Only the Device option will be available because the device info will be returned in this 
query. Select the Device option and select Deviceld from the drop-down menu. Click 
Next to open the Actions page shown in Figure 1-86. 


Create detection rule 
6 Aer cts 2 
Actions 


Users 


FIGURE1-86 Create Detection Rule, Actions 


13. From this screen, you can trigger a response action on the device that triggers the cus- 
tom detection. These actions are the same as covered previously. Select Isolate Device 
and make sure Full is selected because you do not want to allow Outlook, Skype, or 
Teams to have access while isolated. Then click Next to open the Scope page shown in 
Figure 1-87. 


Create detection rule 


FIGURE 1-87 Scope for the custom detection rule 
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14. The Scope page lets you select which device group you want to target with the custom 


detection rule. Select All Devices and click Next. 


15. The Summary page lists all the configuration settings made so far in the Create Detec- 


tion Rule wizard. You can edit any of the settings from this screen. When the settings are 
configured as desired, click Create to create the custom detection rule. 


To test the custom detection rule, follow these steps: 


1. 


76 


Run the following command on an onboarded endpoint using an elevated command 
prompt or PowerShell: 


WMIC.exe shadowcopy delete /nointeractive 


Wait for about 5 minutes for the data to reach the tenant. 


Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure AD roles or as a member of an Endpoint role with the 
Manage Security Settings permission. 


In the menu on the left, expand Hunting and click Custom Detection Rules. 


You should see the custom detection rule you created in previous steps. Click the 
bubble next to the custom detection rule. A fly-out menu for the rule will appear, 
as shown in Figure 1-88: 


Detection rules 


‘Shadow copy sagst ceetion 


FIGURE 1-88 Detection Rules 


In this fly-out menu, you can see the Last Run and Next Run of this custom detection 
rule. To see the full details of this rule, click Open Detection Rule Page to open the 
page shown in Figure 1-89. 
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B Shadow copy snapshot deletion 
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FIGURE 1-89 Click Run to manually run the custom detection rule. 


On this page, you can fully manage the custom detection rule and see any Triggered 
Alerts and Triggered Actions. If you do not see a triggered alert and the Last Run 
Time field has not been populated, click Run in the top-right corner of the page. 


If the data reached the tenant from the onboarded device, this should generate the 
custom detection alert shown in Figure 1-90. 


Shadow copy snapshots were deleted - possible 
ransomware activity 
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FIGURE 1-90 Custom detection rule alert 
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9. Note the fields in the details on the right reflect the information provided when you 
created the custom detection rule. 


10. Click the ellipsis (...) next to the Device Name at the top of the alert. You should see 
the Release From Isolation option at the bottom right (see Figure 1-91). 


D win10-1 Risk level mmm High `` 2 contoso\paul 
Windows10 


Open device page 
LERT STORY 
Device value 
What happened Manage tags 
Shadow copy snapshot deletk Run Antivirus Scan 
Custom detection Collect Investigation Package 
Restrict App Execution 
Kctions taken Initiate Automated Investigation 


Initiate Live Response Session 


a View in action center 


Consult a threat expert 


Impacted asset 


Action center 
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FIGURE 1-91 Release From Isolation 


11. This indicates the machine is currently isolated because that was the action you speci- 
fied to occur when activity on a device matched the custom detection rule question. 
Click Release From Isolation. 


MORE INFO CREATE AND MANAGE CUSTOM DETECTION RULES 


See the following article for more information on creating and managing custom detection 
rules: https://aka.ms/sc200_m365customdetect. 


Custom indicators 

Indicators are another way to generate custom alerts, as well as block activity based on files, IP 

addresses, URLs, domains, and certificates. While you could create custom detection rules for 

these types of indicator-based detections, custom indicators are a much better-suited tool for 

non-logic-based detections, and they have the additional benefit of being able to block the file. 
You receive some Indicators of compromise (IOCs) from a threat intel feed, which contains 

an SHA256 hash. If this hash is seen in your environment, you want Microsoft Defender for 
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Endpoint to raise an alert. To accomplish this, you need to create a custom alert based on file 
indicator by following these steps: 


1. 


Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles or as a member of an Endpoint 
role with the Manage Security Settings permission. 


In the menu on the left, click Settings. 
On the Settings page, click Endpoints. 
On the Endpoints settings page under Rules, click Indicators. 


Under File Hashes, click the Add Item option, which opens the Add File Hash Indica- 
tor menu shown in Figure 1-92. 


File hash * 


FIGURE 1-92 Add a file hash indicator. 


NOTE IMPORTING LISTS OF INDICATORS 


You can also import lists of indicators by using the Import option. A template is provided 
in the Import Option menu. 


On the Add File Hash Indicator fly-out menu on the Indicator page, in the File Hash 
text box, type the following SHA256 hash. (This hash is from a benign text file generated 
for the purposes of this book. You can generate your own text file and use the Get- 
FileHash PowerShell command to test it in your environment.) 


0296F272170F18B0A04760DE5DBA41029F74B3247F0609CBAA8858B4DB1C4 333 
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7. Set Expires On (UTC) to Never, as previously shown in Figure 1-92, then click Next to 
advance to the Action page shown in Figure 1-93. 


Previous Next Cancel 


FIGURE 1-93 Add File Hash Indicator, Action tab 


8. Select Alert Only and provide an Alert Title, Alert Severity, Category, Recommend- 
ed Actions, and Description. Notice these are all the same fields you set in custom 
detections rules. This is because we are configuring an alert to generate when this indi- 
cator is seen. Click Next to move to the Scope page shown in Figure 1-94. 
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FIGURE 1-94 Add File Hash Indicator, Scope tab 


9. Use the Scope page to configure what device group this indicator and alert will target. 
Choose All Devices In My Scope and click Next. 

10. The Summary page allows you to see all your choices. If everything looks good, click 
the Save button. The next time this file hash is needed on any onboarded endpoint, an 
alert will be raised with the previously entered information. 


MOREINFO CREATE INDICATORS 


For more information about creating indicators, see https://aka.ms/sc200_mdeioc. 


Managing risk through security recommendations and 
vulnerability management 

Keeping up with vulnerabilities and risky security configurations is a daunting task. Tradition- 
ally, scanning-based vulnerability assessment tools seemed like they were doing good work. 
They would scan as many devices as the tool could reach over the network, assess the con- 
figuration weaknesses and vulnerabilities, and output a multipage report with all the required 
actions that an already overworked infrastructure administration team would need to fix. There 
are three major issues with this approach: 

1. Offline devices are not scanned, resulting in blind spots in the report. 

2. When the vulnerability or weakness on the device is remediated, it is a manual effort 
to update the report or would require another scan that is also subject to incomplete 
information caused by offline devices. 

3. The list of weaknesses and vulnerabilities is typically a lengthy list with little prioritiza- 
tion. IT teams mitigate the high-ranked items, but those items do not necessarily repre- 
sent true organizational risk. 

One workaround to issues 1 and 2 above is to install an agent on the devices so they report 
their data, rather than being scanned remotely. This leads to other issues, such as broken or miss- 
ing agents and lack of reporting when the device is not connected to the corporate network. 
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Threat and Vulnerability Management (TVM) in Microsoft Defender for Endpoint does not 
have these issues for the following reasons: 


1. Thereisnoagent The sensor is built into the Windows Operating System. 


2. Thereisnoscanning The Defender for Endpoint service that reports EDR data also 
reports these weaknesses and vulnerabilities on an ongoing basis. 


3. Nocorporate network required Any time the device has access to the Internet, 
it can send data since the Defender for Endpoint service is in Azure. 


4. Vulnerabilities and configuration weaknesses are prioritized based on risk to the 
organization When the risk of a vulnerability or configuration weakness raises, such 
as when a public exploit is posted that uses a vulnerability, the prioritization dynami- 
cally changes to ensure that you remediate the riskiest vulnerabilities and weaknesses 
in your environment. 


MOREINFO THREAT AND VULNERABILITY MANAGEMENT 


For more information about threat and vulnerability management, see 
https://aka.ms/sc200_tvm. 


Threat & Vulnerability Dashboard 


You need to have a quick and clear view of the weaknesses and vulnerabilities that are present 
across your organization. The Threat & Vulnerability Dashboard is a great way to get this compre- 
hensive, high-level assessment. Follow these steps to familiarize yourself with the dashboard. 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles or as a member of an Endpoint 
role with the View Data—Threat And Vulnerability Management permission. 


2. Under Endpoints, expand Vulnerability Management and click Dashboard. 
3. The following tiles are shown in the dashboard shown in Figure 1-95. 


m Exposure Score This shows the amount of exposure affecting devices in your 
organization. Ideally, you want the score to be as low as possible. 


= Top Security Recommendations This is a list of actions you can take to lower your 
Exposure Score. They are ordered by Impact, which is the measure of the number of 
points by which your Exposure Score will be lowered by remediating that action 


= Microsoft Secure Score For Devices This rates the security posture of your envi- 
ronment based on Application, OS, Network, Accounts, and Security Controls. 
A higher percentage indicates a better security posture. 


= Exposure Distribution This shows the number of devices that are susceptible to 
attacks, which are ranked as High, Medium, and Low. 
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= Remediation Activities This is a list of activities to remediate vulnerabilities and 
configuration weaknesses. 


= Top Vulnerable Software This is a list of software with vulnerabilities that is intel- 
ligently ranked on factors such as number of vulnerabilities, threats, and number of 
affected devices. 


= Top Exposed Devices This is a list of devices with the most exposure that is intel- 
ligently ranked on factors such as number of vulnerabilities, threats, and security 
recommendations. 


Threat & Vulnerability Management dashboard 


Exposure score Your score for devices: 46% 


30/100 


Exposure distribution Remediation activities 


FIGURE 1-95 Threat & Vulnerability Management Dashboard 


Remediation activities and exceptions 


Now that you have your security recommendations ranked intelligently and dynamically, you 
need to assign remediation activities to the individual or teams responsible for patch manage- 
ment. The Threat & Vulnerability Management Dashboard tells you which actions to take first 
that will have the greatest impact in lowering the risk in your environment. 


EXAM TIP 


Be sure to know how to create a remediation activity and exceptions! 


Follow these steps to create a remediation activity: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles or as a member of an Endpoint 
role with the Active Remediation Actions: Threat And Vulnerability Manage- 
ment—Exception Handling And Remediation Handling role. 
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2. 


3. 


Under Endpoints, expand Vulnerability Management and click Recommendations 
to open the view shown in Figure 1-96. 


Security recommendations 


FIGURE 1-96 Security recommendations 


Just remediating the Update Microsoft 10 (OS And Built-In Applications) line item 
will result in the Exposure Score lowering by 30.65 points. One of the reasons this action 
will lower the score is because there is a verified, public exploit available for some of the 
vulnerabilities that these two devices are affected by. 


You can tell if there is an exploit available for one or more of these vulnerabilities by 

looking at the icons under Threats. These threats indicate the following: 

= Threatinsights As shown in Figure 1-97, when this icon is red, there is a publicly 
available exploit for one or more vulnerabilities. 


FIGURE 1-97 Threat insights icon 


= Breach insights |f this icon is red, there is an active alert attributed to the vulner- 
ability, as shown in Figure 1-98. 


G 


FIGURE 1-98 Breach insights icon 


Click Update Microsoft Windows 10 (OS And Built-In Applications) in the list of 
security recommendations. 
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6. Click Request Remediation to open the view shown in Figure 1-99. 


© massaton request Remediation request 


Remetenen optare 


FIGURE 1-99 Remediation Request wizard 


7. Select Software Update (Recommended) under Remediation Options. 


8. Select the Open A Ticket In Microsoft Endpoint Manager (For AAD Joined 
Devices) check box. 


TIP ENABLE MICROSOFT INTUNE CONNECTION 


If you do not see the Open A Ticket In Microsoft Endpoint Manager (For AAD Joined 
Devices) option, you need to turn on the Microsoft Intune Connection in the Endpoint 
Advanced Features settings. 


9. Select aRemediation Due Date. 


10. Under Priority, select High. 
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11. Type some notes under Add Notes and click Next to open the Review And Finish 
screen shown in Figure 1-100. 


. Review and finish 


© Review and fees Remesation request 


[ sa | 
FIGURE 1-100 Review And Finish, Request remediation wizard 


12. Select Export All Remediation Request Data To CSV. This creates a CSV file that you 
can provide with your change management request because it contains the remediation 
action and a list of the machines requiring the remediation. 


13. Click Submit. 
14. Once the remediation request is created, click Done. 
Now that you have a remediation request created, you can track the request in the Reme- 
diation menu item under Vulnerability Management. Your patch management team should 


now see the remediation request in Microsoft Endpoint Manager under Security Tasks, as 
shown in Figure 1-101. 


ft» th @ Endpoint security | Secunty tasks 
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FIGURE 1-101 Security tasks in Microsoft Endpoint Manager 
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MORE INFO REMEDIATE VULNERABILITIES WITH THREAT AND VULNERABILITY 
MANAGEMENT 


For more information about remediating vulnerabilities, see https://aka.ms/sc200_tvmremedy. 


In some cases, you need to create an exception for security recommendations. For example, 
machines that do not support the hardware requirements for Credential Guard. Follow these 
steps to create an exception for these machines: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles or as a member of an Endpoint 
role with the Active Remediation Actions: Threat And Vulnerability Manage- 
ment—Exception Handling And Remediation Handling. 


2. Inthe menu on the left, under Endpoints, expand Vulnerability Management and 
click Recommendations. 

3. Inthe Search option in the upper-right of the window, type credential guard. This 
should filter the security recommendation list as shown in Figure 1-102. 


Security recommendations Tern on Microsoft Defender Credential Guard 


FIGURE 1-102 Turn on Microsoft Defender Credential Guard 


4. Click the Turn On Microsoft Defender Credential Guard security recommendation. 
This will open a window with a description of the recommendation. Click the Exception 
Options button at the bottom of the window to open the Create Exception screen 
shown in Figure 1-103. 
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n Mi t Defende 


Create 


Executive Machines 


Justification and duration 
Justification 


Planned remediatio 


grac 


Provide justification context 


Exception duration 


FIGURE 1-103 Create Exception 


5. This screen allows you to set the Exception Scope to a device group. Under Justifica- 
tion And Duration, select Planned Remediation (Grace) to indicate that this is a 
temporary exception. The Provide Justification Context text box allows you to enter 
notes for the exception reason, which in this case is that because the hardware is old and 
does not support Credential Guard, it will be replaced. The Exception Duration allows 
you to set a fixed time length (30, 60, or 90 days), or you can select a custom date up to 
1year beyond the current date. 


6. Once you select your options, click Submit. 
7. When the Exception is created, click Done. 


You now have an exception created for the Turn On Microsoft Defender Credential 
Guard security recommendation. 
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MORE INFO CREATE AND VIEW EXCEPTIONS FOR SECURITY RECOMMENDATIONS 


For more information about managing exceptions, see https://aka.ms/sc200_tvmexception. 


Skill 1-3: Detect, investigate, respond, and remediate 
identity threats 


Your identity is composed of unique characteristics that other people and systems use to 
distinguish you from other people and objects. Most people think of Social Security Numbers 
or drivers licenses when you ask them what identity means to them. In security operations, an 
identity is a set of credentials that is used to identify a user or system and grant authorization 
and access to a system based on these credentials. When identities are compromised, the at- 
tacker effectively becomes the identity, using it to conceal themselves and gain unauthorized 
access to systems. 


Identifying and responding to Azure Active Directory 
identity risks 

In Azure Active Directory (AD) Identity Protection, there are two methods that can be used to 
detect attackers using stolen identities to access systems. These methods include: 


m Userrisk The user account shows a pattern of unusual usage. 
m Sign-in risk The user account signs in from a known suspicious IP address. 


When an identity such as a user account shows signs of either of these conditions, protec- 
tions can be put in place to ensure the user account is being used by the intended party. These 
protections can be put in place either automatically, such as forcing a multifactor authentica- 
tion (MFA) challenge followed by a password reset, or by an administrator taking actions to 
secure the account through blocking a user account. Azure AD Identity Protection policies can 
be set to configure Azure Active Directory to respond and remediate appropriately to these 
identity threats. 

In Skill 1-1, you saw that Contoso CFO Paul DePaul’s credentials were phished using a fake 
log-in page. You need to determine if Paul's identity—his user account—was stolen using Azure 
AD Identity Protection and if so, remediate this threat and configure the appropriate policies to 
improve the protection of user accounts going forward. To do this, follow these steps: 

1. Log into https://portal.azure.com as a Global Administrator or Security Administrator. 

2. Using the Search bar at the top of the portal, type identity protection and click Azure 

AD Identity Protection to open the Identity Protection Overview page shown in 
Figure 1-104. 
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@ Ientity Protection | Overview 


FIGURE 1-104 Azure AD Identity Protection Overview 


137 lt 136 


You see there are risky users and sign-ins detected. Under the Report section on the 
left, click Risky Users, as shown in Figure 1-105. 


FIGURE 1-105 Recent Risky Sign-Ins 


You see that there are several risky sign-ins for Paul DePaul. Clicking the first entry 
in the list and then clicking Risk Info in the lower pane brings up the view shown in 
Figure 1-106. 


Risky sign-ins 


FIGURE 1-106 Risky Sign-Ins risk information 
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This successful log-in was from an anonymous IP address. Anonymous IPsare used by 
attackers to mask their real IP addresses so that they remain anonymous on the Internet. 


In this example, clicking the user’s risk report takes you to the Paul DePaul—Risky 
Users screen, which is shown in Figure 1-107. 


Paul DePaul - Risky users 


FIGURE 1-107 Risky users 


You can take action based on the findings so far. Because it seems that Paul’s account 
is compromised given the amount of risky sign-in events and his account's Risk Level 
is High, click Block User to prevent future sign-ins for Paul's account. Click Confirm 
User Compromised, which will signal back to Azure AD Identity Protection that this is 
a true-positive. 


MOREINFO IDENTITY PROTECTION RISKS 


For more information about identity protection risks, see https://aka.ms/sc200_idrisks. 


Configuring users at risk alerts 


You need to be alerted when a risky user or sign-in is detected. To be notified via email alerts 
when this type of risky activity occurs, follow these steps: 


Log in to https://portal.azure.com as a Global Administrator or Security Administrator. 


Using the Search bar at the top of the portal, type identity protection and click Azure 
AD Identity Protection. 


Under Notify, click Users At Risk Detected Alerts, as shown in Figure 1-108. 
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gg Identity Protection | Users at risk detected alerts 
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FIGURE 1-108 Users At Risk Detected Alerts 


4. Here, you can type email addresses to be notified when user's risk level reaches or 
exceeds Low, Medium, or High levels. You want to be alerted any time any risk is de- 
tected, so select Low and click Save. 


5. Weekly Digest is a weekly email containing risky sign-ins, users, and links to the related 
reports to users you specify. Configure the users you for whom you want to receive the 
weekly digest and click Save. 


MOREINFO AZUREAD IDENTITY PROTECTION NOTIFICATIONS 


For more information about configuring these notifications, see https://aka.ms/ 
sc200_idpnotify. 


Configuring multifactor authentication and risk policies 


To improve your defenses against identity compromise such as what happened to Paul’s user 
account, you can configure policies to make it harder for attackers to use compromised ac- 
counts if they have the username and password for the account. A multifactor authentication 
(MFA) registration policy allows you to add a third form of authentication in addition to the 
username and password required when a user logs in. In the previous example with Paul’s ac- 
count, the attacker had the username and password and could log in. Once MFA is added to 
Paul's account, when Azure AD Identity Protection detects a risky sign-in for Paul, Azure AD 
could then challenge him to use a third form of authentication, such as a rotating cipher on his 
cell phone, before granting him access. 


To require users to register for MFA, follow these steps to set an MFA registration policy: 
1. Log in to https://portal.azure.com as a Global Administrator or Security Administrator. 


2. Using the Search bar at the top of the portal, type identity protection and click Azure 
AD Identity Protection. 
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3. Under Protect, click MFA Registration Policy, as shown in Figure 1-109. 


Home > Identity Protection 


Oo Identity Protection | MFA registration policy 
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e users and groups to include in this 
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A user risk policy 1 group included 


Y sign-in risk policy 

© MFA registration policy Co 
Report FD nance Department 
ta Risky users 

D) Risky sign-ins 
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B New support request 


FIGURE 1-109 MFA registration policy 


4. Under Assignments, choose the users or groups to target for this policy. In this ex- 
ample, the finance department that Paul is a member of is targeted. 


5. Under Enforce Policy, click to activate the policy, and then click Save. 


Now that an MFA registration policy is configured, you can configure an MFA challenge if 
Azure AD Identity Protection suspects a sign-in is risky. Follow these steps to configure a sign- 
in risk policy. 

1. Log in to https://portal.azure.com as a Global Administrator or Security Administrator. 


2. Using the Search bar at the top of the portal, type identity protection and click Azure 
AD Identity Protection. 


3. Under Protect, click Sign-In Risk Policy, as shown in Figure 1-110. 


4. Under Users, select the desired users or groups. In this example, we have chosen the 
finance department. 


5. Under Sign-In Risk, specify the risk level that will trigger the policy. Select Low And 
Above to trigger an alert on any indication that the sign-in is risky. 
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FIGURE 1-110 Sign-In Risk Policy 


Under Controls, select Allow Access, select Require Multi-Factor Authentication, 
and click Done. 


Click the Enforce Policy slider to the On position, and then click Save. 


Next, you configure a user risk policy that will take action when a user is marked as being at 
risk. Follow these steps: 


4. 


Log in to https://portal.azure.com as a Global Administrator or Security Administrator. 


Using the Search bar at the top of the portal, type identity protection and click Azure 
AD Identity Protection. 


Under Protect, click User Risk Policy, as shown in Figure 1-111. 
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FIGURE 1-111 User Risk Policy 


Under Users, select the desired users or groups. In this example, we have chosen the 
finance department. 
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7. 


Under User Risk, specify the risk level that will trigger the policy. Select High to trigger 
on users who are marked as high risk. 


Under Controls, select Allow Access, select the Require Password Change box, and 
click Done. 


Click the Enforce Policy slider to toggle it On, and then click Save. 


MOREINFO IDENTITY PROTECTION POLICIES 


For more information about configuring Identity Protection policies, see https://aka.ms/ 
sc200_idppol. 


Identifying and responding to Active Directory Domain 
Services threats using Microsoft Defender for Identity 
Microsoft Defender for Identity helps you detect and investigate malicious activity involving 
identities in Active Directory. Using various signals like network traffic and events from domain 


controllers, Defender for Identity can detect and investigate techniques in the following stages 
of the MITRE ATT&CK framework: 


Reconnaissance 
Credential access 
Discovery 

Lateral movement 
Exfiltration 

Command and control 
Defense evasion 


Persistence 


To begin monitoring your Active Directory environment, follow this process: 


1. 
2. 


First, you need to create your Microsoft Defender for Identity instance. 


Once the instance is created, you then configure a user account or, preferably, a group 
Managed Service Account (gMSA) so that Defender for Identity can look up objects in 
Active Directory. 


Lastly, you install the Microsoft Defender for Identity sensor on each of your domain 
controllers. 


Each sensor gathers network traffic and events from your domain controllers to detect 
malicious activity and generate alerts. 


MOREINFO QUICKSTART FOR MICROSOFT DEFENDER FOR IDENTITY 


For a quick start guide on setting up Defender for Identity, see 
https://aka.ms/sc200_setupmdi. 
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Investigating an alert in Microsoft Defender for Identity 

An example of a technique in the reconnaissance stage is when an attacker explores Server 
Message Block (SMB) sessions from a server, such as a file server or domain controller, to find 
user accounts and the IP addresses they originate from. This allows the attacker to map out 
what accounts they need to compromise to gain access to the systems with those IP addresses. 
The User And IP Address Reconnaissance (SMB) alert in the Defender for Identity portal shows 
this attack. You will use this alert to train your security operations team on how to triage alerts 
in the Microsoft Defender for Identity portal. 


MOREINFO GENERATING A SIMILAR ATTACK 


To generate a similar alert in your environment, follow the lab guide here: https://aka.ms/ 


sc200_mdiplaybook. 


Follow these steps to triage this alert: 


1. Log in to the Microsoft Defender for Identity portal at https://portal.atp.azure.com 
as a member of the Global Administrator or Security Administrator Azure AD role. 
You can also log in as a lower-privileged user if they are a member of the Azure ATP 
(instance name) Administrators, Azure ATP (Instance Name) Users, or Azure ATP 
(Instance Name) Viewers Azure AD groups. This opens the Timeline view shown in 
Figure 1-112. 


FIGURE 1-112 Microsoft Defender for Identity Timeline 


2. The Timeline shows alerts generated by Defender for Identity in chronological order. 
Click the User And IP Address Reconnaissance (SMB) alert to open the alert shown in 
Figure 1-113. 
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FIGURE 1-113 Alert detail 


The alert tells you that two different accounts from WIN10-1 enumerated SMB sessions 
on the domain controller named DC1. Hovering the mouse over DC1 shows the operating 
system, when the machine was first seen, and the domain it isa member of. Also, you 
can see that it is marked as a Sensitive object because it is a domain controller. 


Under Evidence, you can see the accounts and IP addresses that were exposed 
because of this enumeration, which can help you in your investigation into suspicious 
activities involving these accounts. 


You can also search for a user account and see details about the alert. In the Search box 
located in the upper-right portion of the screen, type helpdesk1 and press Enter to 
bring up the helpdesk! user page shown in Figure 1-114. 


FIGURE 1-114 User account timeline 
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The user account helpdesk1 has five open security alerts and is logged into two dif- 
ferent computers. Also, you can access a timeline view of the activities performed by 
helpdesk1. Click Directory Data on the left to display the view shown in Figure 1-115. 


FIGURE 1-115 User Directory Data 


This view shows information from Active Directory about the user, such as group 
memberships, account info, and user account control features, such as Password 
Never Expires. Note this account is also marked Sensitive because it is a member of a 
sensitive group, Domain Admins And Administrators. 


Note the profile picture of helpdesk1 is a bee. This is because helpdesk1 is configured 
as a Honeytoken account, as shown in Figure 1-116. 


FIGURE 1-116 Honeytoken configuration 


An account can be configured as Honeytoken account so that an alert will generate 
when the user account authenticates to Active Directory. This can serve as a trap for 
attackers to signal they are in your environment. 


MOREINFO MANAGE SENSITIVE OR HONEYTOKEN ACCOUNTS 


More information about sensitive and honeytoken accounts can be found here: 
https://aka.ms/sc200_mdihoney. 
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MORE INFO WORKING WITH THE MICROSOFT DEFENDER FOR IDENTITY PORTAL 


You can learn more about the Defender for Identity portal at 
https://aka.ms/sc200_mdiportal. 


Using Microsoft Cloud App Security to identify and respond 
to threats in Software as a Service 


While Software as a Service (SaaS) provided faster time-to-value because of its quick imple- 
mentation times for users, SaaS also introduced new challenges for security operations and 
data loss prevention teams in terms of monitoring and application control. The use of SaaS 
applications such as Office 365, Dropbox, and others allow users to share files and interact with 
people outside their organizations more easily than ever before. The need for security opera- 
tions teams and data loss prevention officers to monitor and control this type of activity is what 
birthed the Cloud App Security Broker (CASB) market. CASB products, such as Microsoft Cloud 
App Security (MCAS), allow security operations and data loss prevention teams to: 


= Discover what cloud applications are used in the environment. 


m Apply conditional access to sanctioned cloud applications for session control, such as 
allowing files to be downloaded only to corporate-owned assets. 


m Use policies to control what data is shared from the cloud application and with whom 
it is shared. 


m Detect anomalies and threats associated with cloud application sign-ins and activities. 


Configure threat detection policies in MCAS 


MCAS has several threat-detection policies for discovering and alerting on suspicious and mali- 
cious activities occurring in cloud applications. One of the built-in anomaly detection policies is 
the Impossible Travel Policy. The Impossible Travel Policy raises an alert when a user performs 
actions in a cloud application from two physical locations during a time interval that is shorter 
than the time it would take someone to travel between these two locations. 


Let's say you suspect that there are anomalous user log-in activities occurring in your 
environment, such as user accounts being used from disparate locations. Follow these steps to 
examine the Impossible Travel Policy that can detect these threats: 


1. Log in to https://portal.cloudappsecurity.com as a member of the Global Administrator 
or Security Administrator Azure AD roles. 


MOREINFO MANAGE ADMIN ACCESS 


MCAS supports role-based access controls. Learn more at https://aka.ms/sc200_mcasrbac. 
2. Under Control, click Policies. 


3. Click the Threat Detection tab at the top of the main page. 
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4. 


Scroll down and click Impossible Travel Policy to open the Edit Anomaly Detection 
Policy page shown in Figure 1-117. 


Edit anomaly detection policy view open alerts t) | @ 
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FIGURE 1-117 Edit Anomaly Detection Policy 


In the Edit Anomaly Detection Policy page for the Impossible Travel Policy, you can 
target specific users or groups for the policy and adjust the Sensitivity of the policy. For 
example, if most of your users travel frequently, you can set the Sensitivity to Low. How- 
ever, because your finance department users do not travel and the group contains users 
with access to sensitive data, you need the policy to be more sensitive for those users. 
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6. Find the Scope section of the policy page shown in Figure 1-118. 


Scope 


All users and groups Y 


Sensitivity ( D 
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FIGURE 1-118 Impossible Travel Policy Scope 


7. Select Set Sensitivity To Specific Users And Groups. 
8. Under Filters, select User Groups Equals Finance Department. 


9. Slide the Sensitivity bar under the filter to High. This will increase the sensitivity for 
finance department users for this policy. 


10. You can configure Alerts from this policy to be sent via email or text message. Because 
you are using Microsoft 365 Defender, these alerts will appear in the Microsoft 365 Secu- 
rity portal (https://security. microsoft.com), so there is no need to configure an Alert here. 


11. Scroll down to see the Governance Actions shown in Figure 1-119. 


Governance actions 


Suspend user 


o 


FIGURE 1-119 Governance Actions 
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12. You can select actions to apply to all cloud apps or to specific actions for specific cloud 
apps when the policy is matched by an activity. Under Office 365, select the Confirm 
User Compromised option. This will flag the user to be challenged for MFA, and if suc- 
cessful, the user will be required to change their password per your sign-in and user risk 
policy settings defined in Skill 1-2. 


13. Once finished, click Update to save your changes to the policy. 


NOTE SEVEN-DAY LEARNING PERIOD 


The Impossible Travel Policy has a learning period of seven days to minimize benign true 
positives as much as possible. 


Respond to alerts in MCAS 


When policies are matched, alerts will be generated for investigation and response. You con- 
figured the Impossible Travel Threat detection policy, so now you will investigate the gener- 
ated alerts. Follow these steps to investigate an Impossible travel alert: 


1. Log in to https://portal.cloudappsecurity.com as a member of the Global Administrator 
or Security Administrator Azure AD roles. 


2. Click the Alerts option in the menu on the left. 


3. At the top of the Alerts page, click the Category Filter drop-down menu and select 
Threat Detection. 


4. Click the Impossible Travel Activity alert to open the alerts shown in Figure 1-120. 


Alerts » D impossible travel activity 0 ¢ — 


FIGURE 1-120 Impossible Travel Activity alerts 
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5. The alert indicates that Paul DePaul had activities originating from the Netherlands 
and Russia within a 4-minute period, which is what triggered the alert. A subset of 
the activities performed using Paul's account are shown in the Activity Log sections. 
All activities can be seen by clicking the Investigate In Activity Log option. 

EXAM TIP 


You must enable File Monitoring in the MCAS settings under Information Protection to 


see file activity store in cloud apps. 


6. 


10. 


Click the drop-down menu next to Resolution Options, as shown in Figure 1-121. 
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FIGURE 1-121 Resolution options 


Because it appears that Paul's account is compromised, click Confirm User Compromised. 


Click Confirm User Compromised again on the confirmation pop-up window. 


Because you have taken steps to mitigate this alert, click the Close Alert button shown 


in Figure 1-122. 


False positive... 
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FIGURE 1-122 Close Alert 


Click True Positive. 
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11. The Close Alert As True Positive pop-up window offers these options: Comment, 
Send Feedback, and Opt-In To Share Your Email Address. The latter option allows 
the MCAS development team to contact you for more information if required. 


MORE INFO MANAGE ALERTS 


For more information on managing alerts in MCAS, see https://aka.ms/sc200_mcasalertmgmt. 


MOREINFO DETECT SUSPICIOUS USER ACTIVITY WITH UEBA 


For a full tutorial on managing IP address rangers and tuning anomaly detection policies in 
MCAS, see https://aka.ms/sc200_mcasalerttune. 


Skill 1-4: Manage cross-domain investigations in the 
Microsoft 365 Defender Security portal 


In the previous skills, you investigated alerts generated in each of the Microsoft threat 
protection products and the risk domains they cover (see Figure 1-123). 


Product Risk domain 


Microsoft Defender for Office 365 Email and Office documents 


Microsoft Defender for Endpoint Devices 
Microsoft Defender for Identity Identities 
Microsoft Cloud App Security Cloud applications 


FIGURE 1-123 Microsoft threat protection products 


Each of these products are best-in-market for the risk domains they cover. Unfortunately, 
attackers do not operate in silos. They move to whatever risk domain they need to achieve their 
end goals. Investigation is especially challenging for security operations teams for the follow- 
ing reasons: 


m Alerts are investigated individually, and there are too many alerts to triage and manage. 
m Alerts generated by each threat protection product appear in separate consoles. 

m Each console has a different look and feel and requires a wide variety of skill sets. 

m Automated self-healing is siloed to each threat protection product. 

m Data searches are done within each risk domain. 

Microsoft 365 Defender addresses these challenges with the following design principles: 


= Single-incident model Machine Learning runs across alerts generated by each threat 
protection product and places them into incidents. This helps the incident responder 
track an attacker as they move through risk domains. 
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Portal consolidation Each of the threat protection products is consolidating into the 
Microsoft 365 Security portal at https://security.microsoft.com. 


Automated self-healing Automated self-healing now spans across email and device 
risk domains. 


Advanced hunting unified schema One schema to rule all the threat domains. 


Examine a cross-domain incident 


Contoso Corporation recently experienced a security incident on April 11, 2021, which involved 
a high-ranking finance officer named Paul DePaul and the CEO Bob Smith. Figure 1-124 is a 
flow diagram of the attack. 


@gmail.com 


Attacker computer (4) 
Oy a 


Tor broswer 


Vand 
Credential phishing site Paul DePaul’s mailbox 


Excel with malicious macro 


8 © 


A 


H A URL to malicious 
Y document 


py? +g 8 A 


Credential Paul DePaul Bob Smith CEO 


domain 


phishing URL Finance Officer | 


FIGURE 1-124 Security incident flow diagram 


Following are the steps of the attack shown in Figure 1-124: 


1. 


The attacker sends an email to Paul DePaul, a high-ranking finance officer at Contoso 
Corporation. In the email is a URL to a credential phishing site, and the email appears to 
come from Bob Smith, the CEO of Contoso Corporation. 


Paul clicks the link and enters his username and password into the website, which means 
the attacker now has Paul's credentials. 


The attacker uses a Tor browser to anonymously access Paul's mailbox. 


The attacker sets up an email forwarding rule to send emails received by Paul from Bob 
Smith to the attacker's email. 
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5. The attacker emails Bob Smith using Paul's mailbox. The email contains a URL to a mali- 
cious, macro-enabled Excel document hosted on a web server. 


6. Bob opens the Excel document thinking it is from Paul. He runs the macro, which sets up 
a command-and-control channel back to the attacker's computer. 
7. The attacker begins to run commands to explore Contoso’s Active Directory domain. 
This attack spans the risk domains of email, identity, and device, which makes it time 
consuming to piece together using individual alerts and possibly involving separate teams at 
Contoso. Because the attacker is already on a device inside Contoso, the security operation 
team needs to work quickly to mitigate the threat. 


Manage a cross-domain incident using 
Microsoft 365 Defender 


Microsoft 365 Defender uses a single incident model that aggregates alerts from Microsoft 
Defender for Office 365, Defender for Endpoint, Defender for Identity, and MCAS. Data from 
each of these solutions is also aggregated to provide a unified hunting experience. 


You need to triage the incident in Microsoft 365 Defender, stop the attacker, and remediate 
the threat. Follow these steps to mitigate this incident: 


1. Log in to https://security.microsoft.com as a member of the Global Administrator or 
Security Administrator Azure Active Directory roles. 


2. Onthe Home screen, the Threat Analytics card is shown (see Figure 1-125). 


Microsoft 365 security 


| Q Home Home 
Y Incidents & alerts 
Hunting v 
= Action center 
@_~ Threat analytics 


Threat analytics 
Y Secure score 


1 active threat 
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te Learning hub 


Endpoints 
LemonDuck and LemonCat: Modern mining malware 


O Search 
Fneoding evolution in the KI S.HTMI phishing campaign 


& Device inventory 


WB Active alerts MM Resolved alerts Ml No olerts 
& Vulnerability management v 
See more 
og Partners and APIs v 
FIGURE 1-125 Threat analytics tile 
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3. 
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The Threat Analytics card indicates there is 1 active threat: Adwind RAT lands using 
DDE. Click the red bar to open the Threat Analytics Report shown in Figure 1-126. 


Pasarad 


1 impacted device 
Dewees ws 
ee 


3 active alerts in 
1 active incident 


incidents seven my 


1 misconfigured device 
———_—_$$ LD, 
Se BSar Eua 


FIGURE 1-126 Threat analytics report 


Threat analytics is a collection of threat intelligence reports written by threat research- 
ers at Microsoft. Data from Microsoft 365 Defender is integrated into these reports to 
indicate the degree to which your organization is from the described threat. The report 
also shows ways to mitigate these risks. 


Under Related Incidents, you see that there are three active alerts in one active 
incident. Click View All Related Incidents. 


Click the Incident listed as Related Incidents to open the incident view shown in 
Figure 1-127. 

The incident that was linked to the Threat Analytics reports is titled Multi-Stage Inci- 
dent Involving Initial Access & Discovery On One Endpoint Reported By Multiple 
Sources. This name is generated by machine learning that aggregated all the alerts 
from the alert sources. You see that there are 16/16 Active Alerts that fall within four 
MITRE ATT&CK tactics. This indicates that of the 16 alerts in this incident, 16 of them 
are not resolved. You also see that there is one impacted device, two impacted users, 
and one impacted mailbox. 
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oe Multi-stage incident involving Initial access & Discovery on one endpoint re... 


16/16 active alerts 1 impacted device 
4 MITRE ATT&CK tactics 2 impacted users penges 


ay | || 1 impacted mailbox 


11 entities found ss 


FIGURE 1-127 Incident page 


8. To mitigate the threat as fast as possible, you need to isolate the affected device and 
prevent the involved user accounts from logging in. Click the Devices section to bring 
up the Devices tab shown in Figure 1-128. 


o Multi-stage incident involving Initial access & Discovery on one endpoint re... wami 6 


FIGURE 1-128 Devices tab 


9. In this example, click the bubble next to the win10-2 device, and then click Isolate De- 
vice. In the isolation confirmation pop-up window, enter comments into the Comments 
field. It is mandatory that you add comments so that other incident responders working 
in the console know why the device has been isolated. Once you enter your comments, 
click Confirm. 


10. Click the Users section to open the Users tab shown in Figure 1-129. 


(Po) Padi Deal 


wasan "$ 


% Multi-stage incident involving Initial access & Discovery on one endpoint re 


FIGURE 1-129 Suspend User 
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11. Click the Paul user object as shown in Figure 1-129, click the ellipsis (...) to display 


additional actions and click Suspend User. Click Suspend User on the confirmation 
pop-up window. Repeat these steps for the Bob user object located under Paul. This 
will prevent Paul and Bob from logging in, but it also will keep the attacker from logging 
in as Paul or Bob. 


Now that the threat is mitigated, you need to investigate the attack to understand how it 
developed. Follow these steps to investigate how the attack happened: 


1. 


Click Manage Incident in the upper-right part of the screen. Click Assign To Me 
and then click Save. Next, click the Alerts section to bring up the alert view shown 
in Figure 1-130. 


© Multi-stage incident involving Initial access & Disc... 


cone 39 awama pee page 


Sapana System Network Conigueston Datovy . 


Reflective dit bading detected = Me sewa eea er Bw 


FIGURE 1-130 Alerts view in an incident 


In the Service Source column, multiple sources are shown. Click the bubble next to the 
Impossible Travel Activity alert to display further details about this alert, as shown in 
Figure 1-131. 

This alert indicates that Paul DePaul traveled from the Netherlands to Russia within 

4 minutes. 
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4. 
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FIGURE 1-131 Impossible Travel Activity alert 


In the Alerts list, click the bubble next to Creation Of Forwarding/Redirect Rule, 


and then click Open Alert Page, as shown in Figure 1-132. 


FIGURE 1-132 Inbox mail forwarding rule 


In this alert, you see that a new rule was created in Paul’s mailbox 
text box shows that the rule forwards emails to a gmail.com account when the email is 


from Bob. 
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6. Return to the Alerts page of the incident. 


7. Click the bubble next to one of the Suspicious PowerShell Command-Line alerts and 
click Open Alert Page, as shown in Figure 1-133. 


Deus Dowershed command ine 
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Š An Office application ran suspicious commands ees Medium © Ovtected © Rescived (True alert) 


Š Suspicious behavior by Microsoft Excel was observed 
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Ê Suspicious PowerShell command line men Medium © Detected © Rescived (True alert) 
goreu È  EXCELEKE launched a script inspected by AMSI 
sam v 3 [9552] powershelexe “powershellene” Av 1 /C “oy XTT -v wa ecs NE [iov XT value toString) iav wC valeto SringilpowerAel (g HE) walue tostringd CA. 
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| = Suspicious PowerShell command line ea Medium © Detected © Resolved (True alert) 
D An Office application ran suspicious commands men Medium © Detected © Rescived (True alert) 


FIGURE 1-133 Suspicious PowerShell Command Line alert 


8. Atthe top of the alert page are the entities that the alert applies to—the device win10-2 
and user CONTOSO\bob. Under Alert Story is the process tree where the rest of 
the alerts in this incident are shown. Because there are multiple alerts pertaining to 
EXCEL.EXE, Defender for Endpoint taints this process (marks it as untrustworthy), 
which means all subprocesses and their associated alerts are shown. This prevents the 
incident responder from needing to click every alert in the incident. 

9. The document that more than likely contained the malicious macro is named 
quote3245.x1sm. The.XLSM extension indicates that it is an Excel file with a macro. 
Because Excel opened this file and is a child process of msedge.exe—which is a 
subprocess of OUTLOOK.EXE—this tells you that the file was downloaded from a URL 
in an email. You can use Advanced Hunting to find this email and the URL. 


10. Click Hunting in the menu on the far left and click Advanced Hunting. 
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11. 


12. 
13. 


14. 


15. 


16. 
17. 


Use this query: 


let badfile = "quote3245.xlsm"; 
EmailUrlInfo 


| where Timestamp between (datetime(2021-04-11T20:00:00) .. datetime(2021-04- 
13T00:00:00)) and Url has badfile 


| join EmailEvents on NetworkMessageId 


| project Timestamp, NetworkMessageId, Url, SenderFromAddress, 
RecipientEmailAddress 


The query is broken down like so: 
m |tsets the variable badfile to quote3245.x1sm. 


m It then searches the EmailUrlInfo table for quote3245.x1sm as a partial match in the 
Url field records. 


m Next, it joins the EmailEvents table on the results, keying off the NetworkMessageld. 


m You need the join to expose the additional fields in the email—the SenderFromAddress 
and RecepientEmai Address. 


Click Run Query. 


The results are shown in Figure 1-134. 


Advanced hunting 


FIGURE 1-134 Advanced hunting query editor 


You can see the full URL from which the file was downloaded, as well as the sender 
(Paul) and the recipient (Bob). The attacker used Paul's compromised mailbox to send 
the email to Bob to increase the chances of Bob clicking the link and opening the docu- 
ment because it came from Paul, not a Gmail account. 


Copy the NetworkMessageld by right-clicking the value and choosing Copy Value To 
Clipboard. We need it to remove the email from Bob's mailbox. 


In the menu on the far left, under Email & Collaboration, click Explorer. 


Change the View drop-down menu to All Email. In the query field selector, select 
Network Message ID, click in the text box next to Network Message ID, and press 
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Ctrl+V to paste in the NetworkMessageld you copied in the previous step. Change the 
date range to before and after April 11, 2020 to only search email around April 11, 2020 
and click the Refresh button. 


18. As shown in Figure 1-135, the search found the email that was sent from Paul to Bob with 
the malicious URL. 


Beinn Game 


FIGURE 1-135 Email and collaboration explorer query tool 


19. The bar chart in Figure 1-135 shows the number of recipients for this email that were 
returned in this search and the date and time they were received. Below the bar chart 
are the email details. In the email details area, click the check box to select the email, 
as shown in Figure 1-135. 


20. Click the Actions drop-down menu shown in Figure 1-136. 


Move & delete 
Move to junk folder Subject 
Move to deleted items 


Soft delete |, ' 
Hard delete Deletes the selected messages. Not recoverable 
Move to inbox 

Track & notify 


Trigger investigation 


Investigate Sender 


Investigate Recipient 


FIGURE 1-136 Email Actions 
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21. Click Hard Delete, which will remove the email from Bob's mailbox permanently. 

Now that you removed the email, you need to ensure the URL is blocked from Endpoints by 
using URL indicators. Follow these steps to add a URL indicator: 

1. On the far-left menu under Endpoints, click Search. 

2. Select URL in the drop-down menu, type the domain you want to search for, and press 
Enter. If there are multiple URLs that match your search, you will need to click the 
correct URL. If there is only one match for your search, a page like the one shown in 
Figure 1-137 will be shown. 


O EE. 


[um smonary 


FIGURE 1-137 URL page 


3. The URL page allows you to see what machines had network communications with the 
URL. There are two machines in Contoso that accessed the URL that delivered the mali- 
cious Excel document, so you need to block this domain. 


4. Click Add Indicator in the upper-right portion of this screen to open the Add URL/Do- 
main Indicator wizard. 


5. Under Expires On (UTC), select Never, and then click Next to advance to the Action 
tab shown in Figure 1-138. 


6. Under Response Action, select Alert And Block, type details for the Alert in the De- 
scription field, and click Next. 


7. On the Scope tab, under Device Groups, click All Devices In My Scope; click Next. 


8. Toadd the indicator, click Save on the Summary page. 
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To ensure the malicious document quote3245.x1sm is not allowed to be opened on any end- 
point in Contoso, use these steps to add a file indicator: 


1. 
2. 
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Alert severity * 


Descnption * 


Previous Next 


Cancel 


FIGURE 1-138 Add URL/Domain Indicator 


On the far-left menu, under Endpoints, click Search. 


Select File from the drop-down menu and type the file name quote3245.xlsm; press 
Enter to search. 
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The file page for quote3245.x1sm opens, as shown in Figure 1-139. 


D quote3245.xism 
Fhe semang 
No alerts found Virus Total ratio 0 Email inboxes 


Malware detection 1 devices in organization 
oan ee 1 devices worldwide 


FIGURE 1-139 File page 


You can see on which devices the file was seen. In the upper-right part of the screen, 
click Add Indicator. 


In the Add File Hash Indicator wizard, select Never from the options under Expires 
On (UTC). Click Next to advance to the Action page shown in Figure 1-140. 


D 


Previous Next Cancel 


FIGURE 1-140 Add file hash indicator 
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6. On the Action tab, configure the Response Action to Alert And Block, type details for 
the Alert, and click Next. 


7. On the Scope page, click All Devices In My Scope and click Next. 
8. Click Save on the Summary page to add the file hash indicator. 


Now that all the entities from the incident are cleaned up, you should now close the inci- 
dent. Follow these steps to close the incident: 


1. On the far-left menu, under Incidents & Alerts, click Incidents and locate the incident 
named Multi-Stage Incident Involving Initial Access & Discovery On One Endpoint 
Reported By Multiple Sources. 


2. Inthe upper-right portion of the incident page, click Manage Incident to open the 
Manage Incident fly-out menu shown in Figure 1-141. 


Manage incident 


Incident name 


Incident tags 


Determination 


Comment 


FIGURE 1-141 Manage Incident 
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3. Click the Resolve Incident toggle, and under Classification, select True Alert. 


4. Under Determination, choose Malware, and click Save. 


MOREINFO TRACK AND RESPOND TO EMERGING THREATS WITH THREAT ANALYTICS 
To learn more about Threat Analytics, see https://aka.ms/sc200_ta. 


MOREINFO THE UNIFIED MICROSOFT 365 SECURITY CENTER OVERVIEW 


To learn more about the Microsoft 365 Security portal, see 
https://aka.ms/sc200_m365secoverview. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Securing Contoso Corporation from modern threats 


You are a senior member of the security operations team at Contoso Corporation, a company 
that writes software for autonomous cars. Executives at the company report they have received 
an increasing amount of spear phishing emails that appear to come from board of director 
members. Most of these spear phishing emails contain URLs pointing to websites that mimic 
Office 365 log-in pages. Unfortunately, the security team at Contoso is overwhelmed by the 
number of alerts coming from endpoints, so they have not been able to give the spear phish- 
ing issue enough attention. 


To make matters worse, the tier 1 security operators report they had access to Microsoft 
Defender for Endpoint data last week, but after you enabled the roles feature in Defender for 
Endpoint, they no longer have access to the Endpoint data. 


MCAS is also generating many Impossible Travel Alerts, which started around the time 
Contoso switched its VPN provider to another company overseas. 


1. What configuration changes could you make in Microsoft Defender for Office 365 to 
mitigate the spear phishing issue? 


2. What could you do to help the security operations team keep up with Endpoint alerts? 


3. Why did the tier 1 security operations team lose access to Defender for Endpoint data 
after roles were enabled in Defender for Endpoint? How can you fix this issue? 


4. What can you do to tune the MCAS impossible travel alerts to reduce the number of 
benign true positives? 
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Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. 


You can configure anti-phishing policies and add the email addresses of the board of di- 
rectors to the users to protect. You can also configure a Safe Links policy to address the 
credential phishing URLs. Both changes are made in Microsoft Defender for Office 365. 


You can configure device groups in Microsoft Defender for Endpoint to Full—Remediate 
Threats Automatically and enable an advanced feature, Automatically Resolve Alerts. 
This will enable the Automated Investigation self-healing feature in Microsoft Defender 
for Endpoint to investigate new alerts, remediate found threats, and automatically close 
alerts. This would reduce the workload of the security team. 


The tier 1 security operations team was given access to the Microsoft Defender for 
Endpoint data through membership in the Azure AD role Security Readers. When 
Roles are enabled in Defender for Endpoint, Security Readers lose access to the portal. 
To resolve this issue, the tier 1 team’s security group should be assigned a role with the 
permission to view data for security operations data. 


Add the VPN IP network ranges to the known IP addresses configuration in MCAS. This 
will exclude the VPN IP range from impossible travel detections and reduce the benign 
true positives. 


Chapter Summary 


Safe Links, Safe Attachments, and anti-phishing policies in Microsoft Defender for Office 
365 can help protect users from malicious links, attachments, and impersonated emails, 
respectively. 


Attack Simulation Training can help educate your users on how to spot phishing and 
other malicious document content. 


Microsoft Defender for Endpoint not only helps you protect, detect, and respond to 
endpoint threats, it can also recommend security settings and report vulnerable soft- 
ware in your environment that pose the highest risk of exploitation. 


The automated investigation self-healing feature can reduce the workload of your 
security operations team, so they can concentrate on proactive hunting and improving 
protection. 


Azure Active Directory Identity Protection can detect risky sign-ins and user accounts at 
risk of being compromised. Multifactor authentication and requiring a password change 
can be invoked to protect these accounts. 
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= Microsoft Cloud App Security allows you to discover the cloud applications you users access. 
It can also alert you to unusual and malicious activity based on user behavior patterns. 


= Microsoft Defender for Identity can detect reconnaissance and user account compro- 
mise in Active Directory Domain Services environments. 


m Microsoft 365 Defender improves the efficiency and effectiveness of your security op- 
erations teams by providing a single portal for Microsoft threat protection products, a 
single incident model, intelligent Automated Investigation self-healing, and a combined 
schema for Advanced Hunting and custom detections. 


120 Mitigate threats using Microsoft 365 Defender 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Mitigate threats using 
Azure Defender 


One critical component of any Security Operations Center (SOC) is the quality of the alert 
that is received from a given data source. The quality of the alert can be measured by the 
relevance of the information contained in the alert, how that alert reflects into the threat 
vectors of a cloud workload, and how these indications can help security operation analysts 
to investigate and respond to that alert. Azure Defender has different plans that offer threat 
detections for specific workloads, based on analytics that were created specifically for the 
threat vector of the workload’s type. 


To mitigate threats using Azure Defender you must be able to design, configure, and 
manage the different types of Azure Defender plans, manage rules, and understand how 
to investigate and automate response. 


Skills covered in this chapter: 
m Design and configure an Azure Defender implementation 
m Plan and implement the use of data connectors for ingestion of data in Azure Defender 
m Manage Azure Defender alert rules 
m Configure automation and remediation 


m Investigate Azure Defender alerts and incidents 


Skill 2-1: Design and configure an Azure Defender 
implementation 


Before implementing Azure Defender it is important to understand the different design 
considerations that will directly affect how you configure the solution based on the scenario’s 
requirements. This section of the chapter covers the skills necessary to design and configure 
Azure Defender implementation according to the SC-200 exam outline. 
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Plan and configure Azure Defender settings, including 
selecting target subscriptions and workspace 


When planning to use Azure Defender, you must understand the requirements for the type of 
plan that you want to implement. If you are planning the implementation of Azure Defender 
for Servers, Azure Defender for Kubernetes, or Azure Defender for SQL Server on Machines, 
you also need to consider the requirement to deploy the Log Analytics (LA) Agent to the 
machines. By doing so, you will need to select the workspace to which the agent will send 

the information. 


Other Azure Defender plans that are based on other Azure Platform as a Service (PaaS) 
offerings don’t require a workspace configuration in the beginning. This includes plans such as 
Azure Defender for Key Vault, Azure Defender for App Service, Azure Defender for Resource 
Manager, Azure Defender for Storage, Azure Defender for Containers Registries, Azure De- 
fender for SQL database, and Azure Defender for DNS. You will only need to configure a work- 
space for these Azure Defender plans if you consider utilizing the continuous export capability 
in Azure Security Center. This feature is often used in the following scenarios: 


m= When the organization wants to store all alerts that are triggered by all Azure Defender 
plans in the workspace because. By default, only VM-based alerts are stored in 
the workspace. 


m= When the organization wants to store all security recommendations or regulatory 
compliance information in the workspace. 


m= When the organization needs to send the alerts to a security information and event 
management (SIEM) via Azure Event Hub. 


When you first activate Azure Security Center, the auto-provisioning feature is not enabled. 
However, if you want to ensure that all VMs are automatically configured to receive the LA 
agent and send the data to the correct workspace, you should enable this option. When auto- 
provisioning is enabled, and the Connect Azure VMs To The Default Workspace(s) Created 
By Security Center option is selected, Security Center will automatically create and manage a 
new workspace. Security Center creates a new resource group and a workspace (called default 
workspace) in the same geolocation of the VM and connects the agent to that workspace. The 
naming conventions for the default workspace and resource group are shown below: 


|| Workspace DefaultWorkspace-[subscription-ID]-[geo] 
m Resource Group DefaultResourceGroup-[geo] 


The fact that a default workspace is created according to the geolocation of the VM is an 
advantage if your design requirements dictates that you need to ensure that the data sent 
from the VM is stored in the same region as the VM's location. Table 2-1 shows where the work- 
space will reside according to the VM’'s location: 
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TABLE 2-1 VM and workspace locations 


VM Location 

United States and Brazil 
Canada 

Europe 

United Kingdom 

East Asia and Southeast Asia 
Korea 

India 

Japan 

China 


Australia 


Workspace Location 
United States 
Canada 

Europe 

United Kingdom 
Asia 

Korea 

India 

Japan 

China 


Australia 


If your organization is already utilizing a Log Analytics workspace and it wants to leverage 
the same workspace for Security Center, you should select the Connect Azure VMs ToA 
Different Workspace option and specify the workspace, which can be any workspace across 
all selected subscriptions within the same tenant. 


The general best practice for workspace creation is to keep it as minimal as possible, which 
is not the case when you configure Security Center to manage the workspaces. When reading 
a scenario in the SC-200 exam, take into consideration the business requirements as well as the 
technical requirements. These requirements will lead you to select one of these two options: 


m You could use the default workspace, which can create a lot of workspaces according to 
the regions where the company’s VMs reside 


m You could take a more centralized approach where all VMs across all subscriptions will 


have to send data to a single workspace. 


IMPORTANT BEST PRACTICES 


If you plan to use the same workspace for Azure Sentinel and Azure Security Center, make 
sure to read the best practices highlighted in this post: http://aka.ms/ascbooklawbp. 


The actual steps to configure auto-provisioning and specify the workspace are provided 


later in this chapter. 
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Configure Azure Defender roles 


Security Center uses Role-Cased Access Control (RBAC) based in Azure. By default, there are 
two roles in Security Center: Security Reader and Security Admin. The Security Reader 

role should be assigned to all users that need read access only to the dashboard. For example, 
Security Operations personnel that needs to monitor, and respond to security alerts, should be 
assigned the Security Reader role. It is important to mention that the assignment of this role is 
done in the Azure level, under the resource group that Security Center is monitoring, and using 
Access Control (IAM), as shown in Figure 2-1. 


pP 
ec 
had 


aÑ Access contro DAMI 


FIGURE 2-1 Access control in Azure 


Workload owners usually need to manage a particular cloud workload and its related 
resources. Besides that, the workload owner is responsible for implementing and maintaining 
protections in accordance with company security policy. Security Admin role should be 
assigned for users that need to manage Security Center configuration. 


Only subscription Owners/Contributors and Security Admins can edit a security 
policy. Only subscription and resource group Owners and Contributors can apply security 
recommendations for a resource. To enable Azure Defender, you need Security Admin or 
Subscription Owner privilege. To learn more about Role-Based Access Control (RBAC) in 
Azure, visit http://aka.ms/azurerbac. 


Custom roles 


There will be some scenarios where the organization may want to provide a more granular 
privilege for some users instead of granting access to the entire Security Admin access role. 
Consider an organization called Contoso that needs to provide privilege to security opera- 
tion analysts to simply visualize and create alert-suppression rules. In this case, the Security 
Admin role provides more privileges than what is necessary. For scenarios like this, you can 
create a custom role in Azure and assign write privilege to this operation: Microsoft.Security/ 


alertsSuppressionRules/write. 


MOREINFO CREATING CUSTOM ROLES 
To create custom roles, see http://aka.ms/SC200_CustomRole. 
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Another common scenario is when an organization needs to create a custom role to allow 
users to configure or edit the just-in-time (JIT) VM access. You need a set of privileges to work 
with JIT; these privileges will vary according to the type of operation that you need to perform 
or that you want to allow a user to perform. You can be very granular about this permission 
assignment by using these guidelines: 


To configure or edit a JIT policy for a VM, you need to assign these actions to the role: 


m On the scope of a subscription or resource group that is associated with the VM: 


Microsoft.Security/locations/jitNetworkAccessPolicies/write. 


m On the scope of a subscription or resource group of VM: Microsoft.Compute/ 


virtualMachines/write. 
To request access to a VM, you need to assign these actions to the user: 


m On the scope of a subscription or resource group that is associated with the VM: 
Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action. 


m On the scope of a subscription or resource group that is associated with the VM: 


Microsoft.Security/locations/jitNetworkAccessPolicies/*/read. 


m On the scope of a subscription or resource group or VM: Microsoft.Compute/ 


virtualMachines/read. 


= On the scope of a subscription or resource group or VM: Microsoft.Network/ 


networkInterfaces/*/read. 


On the scope of a subscription, resource group, or VM that you need to read JIT policies, assign 
these actions to the user: 


m Microsoft.Security/locations/jitNetworkAccessPolicies/read 

m Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action 
m Microsoft.Security/policies/read 

m Microsoft.Security/pricings/read 


m Microsoft.Compute/virtualMachines/read 


m Microsoft.Network/*/read 


Also, if you need to see the JIT NSG policy from the VM—Networking blade, you need to add 
the following policies: 


m Microsoft.Network/networkSecurityGroups/read 
m Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read 
m Microsoft.Network/networkSecurityGroups/securityRules/read 


While the permissions above can be utilized to apply the principle of least privilege, keep in 
mind that you will need to merge some permissions if you are accessing via the Azure portal. 
For example, to configure or edit a JIT policy for a VM, you will need the privileges given and 
the privileges to read JIT policies. 
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Configure data retention policies 


Microsoft Defender for Servers provides 500 MB per node, per day of free allowance for the data 
allocated in the Log Analytics workspace against the following subsets of security data types: 


m WindowsEvent 

m SecurityAlert 

m SecurityBaseline 

m SecurityBaselineSummary 
= SecurityDetection 

m SecurityEvent 

m WindowsFirewal1 

= MaliciousIPCommunication 
m LinuxAuditLog 

m SysmonEvent 

E ProtectionStatus 


Update and UpdateSummary data types can be used when the Update Management solution 
is not running on the workspace or when solution targeting is enabled. 


If the workspace is in the legacy Per Node pricing tier, the Microsoft Defender for Servers 
and Log Analytics allocations are combined and applied jointly to all billable ingested data. 
When you configure Microsoft Defender for Cloud to utilize a workspace, the data will be 
stored there is going to be available for 30 days by default. However, you can configure data 
retention at the workspace level up to 730 days (2 years) for all workspaces unless they are 
using the legacy free tier (for example, when using Microsoft Defender for Cloud without 
upgrading to Microsoft Defender for Cloud plans). 


IMPORTANT AZURE MONITOR PRICING 


When you choose to extend your data retention for the workspace used by Microsoft 
Defender for Cloud, extra charges will be applied as per Log Analytics workspace pricing. 

If the same workspace is shared with Microsoft Sentinel, you get 90 days of data retention 
included. Visit the Azure Monitor pricing page for more information about the current pric- 
ing: https://azure.microsoft.com/en-us/pricing/details/monitor/. 


Depending on the scenario that you are addressing, you might need to extend the data 
retention to more than 30 days. Make sure to always review the business and technical require- 
ments of the scenario for hints about data retention. Once you determine the data retention 
goal, follow the steps below to configure data retention in Log Analytics workspace: 

1. Navigate to the Azure portal by opening https://portal.azure.com. 
2. Inthe search bar, type log ana, and under Services, click Log Analytics Workspaces. 


3. Inthe Log Analytics Workspaces dashboard, click the workspace for which you want 
to configure data retention. 
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4. 


In the left navigation pane, in the General section, click Usage And Estimated Costs. 
The Usage And Estimated Costs page appears, as shown in Figure 2-2. 


Usage Charts 


leg data ngebon 
Log data retention (beyend 90 dys) $0.10 068 $0.00 


Total 


The log data ingestion includes the $00 M 


200 GB/day Capacity Reservation 


20% discount over Pay.at-you-go 


300 G8/day Capacity Reservation 1350 MB 


22% discount over Pay-as-you-go 


400 GB/day Capacity Reservation 


23% discount over Pay-at-you-go 


FIGURE 2-2 Log Analytics workspace usage and cost 


Click the Data Retention button, and the Data Retention blade appears, as shown in 
Figure 2-3. 


Data Retention x 


31 days of retention is included with your pricing plan. Longer 
retention will incur additional charges. Retention can also be 
configured individually for specific data types. 


Data Retention (Days) 


o—————— 


Retention for Application Insights data types default to 90 days and 
will get the workspace retention if it is over 90 days. To set the 
retention on these types to be less than 90 days, set the retention on 
each of these data types. Learn more. 


OK 


FIGURE 2-3 Configuring data retention for the Log Analytics workspace 
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6. Youcan use the Data Retention (Days) slider to increase the number of days that you 
want to retain the data. Once you finish, click the OK button to commit the changes. 


You can also utilize an Azure Resource Manager (ARM) template to configure data reten- 
tion by using the retentionInDays parameter. The advantage of using an ARM template for 
this operation is that you can apply in scale, and you can also customize other parameters. 
For example, if the scenario requires that you set the data retention to 30 days and trigger an 
immediate purge of older data, you can do that by using the immediatePurgeDataOn30Days 
parameter, which eliminates the grace period. This configuration could also be useful for 
compliance-related scenarios where immediate data removal is mandatory. 


While the extension of the data retention policy for the entire workspace is usually the most 
common scenario, there are some situations that you might need to change the data retention 
based on a specific data type. Retention settings for individual data types are available from 
4 to 730 days (except for workspaces in the legacy free tier). These settings will override the 
workspace-level default retention. You will also need to use ARM to change this setting. In the 
example below, the data retention for the SecurityEvent data type is being changed to 550 days: 
PUT /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/ 


MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/ 
Tables/SecurityEvent?api-version=2017-04-26-preview 


{ 
"properties": 
{ 
"retentionInDays": 550 
} 
} 
EXAM TIP 


When evaluating a scenario in the SC-200 exam, look for business requirements that lead 
to cost savings on data. Changing data retention only in certain data types can be used to 
reduce overall costs for data retention. 


Assess and recommend cloud workload protection 


As enterprises start their journeys to the cloud, they will face many challenges as they adapt 
their on-premises tools to a cloud-based model. In a cloud environment where there are 
different workloads to manage, it becomes imperative to have ongoing verification and cor- 
rective actions to ensure that the security posture of those workloads is always at the highest 
possible quality. 

Security Center has a variety of capabilities that can be used in two categories of cloud solutions: 


= Cloud Security Posture Management (CSPM) This enables organizations to assess 
their cloud infrastructure to ensure compliance with industry regulations and identify 
security vulnerabilities in their cloud workloads. 
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m Cloud Workload Protection Platform (CWPP) This enables organizations to assess 
their cloud workload risks and detect threats against their servers (laaS), containers, 
databases (PaaS), and storage. It also allows organizations to identity faulty configura- 
tions and remediate those with security best-practice configurations. To use the CWPP 
capabilities, you need to upgrade to Azure Defender. 


With an Azure subscription, you can activate the free tier of Security Center, which monitors 
compute, network, storage, and application resources in Azure. It also provides security policy, 
security assessment, security recommendations, and the ability to connect with other security 
partner solutions. 


Even organizations that are getting started with Infrastructure as a Service (laaS) in Azure 
can benefit from this free service because it will improve their security postures. When you 
upgrade your Security Center subscription from the free tier to Azure Defender, the Azure 
Defender for Servers will be automatically enabled. With this plan, the following features will 
be available: 


m Security event collection and advanced search 

m Network Map 

m Just-in-time VM Access 

= Adaptive application controls 

= Regulatory compliance reports 

m File integrity monitoring 

m Network Security Group (NSG) hardening 

m Security alerts 

m Threat protection for Azure VMs, non-Azure VMs, and PaaS services 
m Integration with Microsoft Defender for Endpoint (MDE) 

m Integration with Microsoft Cloud App Security (MCAS) 

m Multi-cloud support for Amazon Web Services (AWS) and Google Cloud Platform (GCP) 
m Vulnerability assessment integration with Qualys 


Another advantage of upgrading to Azure Defender is that it allows you to monitor on- 
premises resources and VMs hosted by other cloud providers. You achieve this by onboarding 
your machine using Azure Arc and then installing the Log Analytics agent on the target machine. 


Assessment and recommendations 


Security Center will identify resources (compute, network, storage, identity, and application) 
that need security recommendations and will automatically suggest changes. You can see all 
recommendations in a single place, which is available under General > Recommendations. 
There, you can see security controls, as shown in Figure 2-4. 
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FIGURE 2-4 Security recommendations in Microsoft Defender for Cloud 


During this initial assessment, Microsoft Defender for Cloud will also identify which work- 
loads are available in the subscription. Also, it will suggest enabling the different Microsoft 
Defender for Cloud plans for cloud workload protection. All plans will be part of the Microsoft 
Defender for Cloud security control, as shown in Figure 2-5. 


P defender <| Recommendation status == None X 


© Name ty 
Microsoft Defender for Containers should be enabled on GCP connectors 
Microsoft Defender for Azure SQL Database servers should be enabled 
Microsoft Defender for servers should be enabled 
Microsoft Defender for App Service should be enabled 
Microsoft Defender for Resource Manager should be enabled 
Microsoft Defender for SQL servers on machines should be enabled 
Microsoft Defender for Storage should be enabled 
Microsoft Defender for Key Vault should be enabled 
Microsoft Defender for open-source relational databases should be enabled 


Microsoft Defender for DNS should be enabled 


Microsoft Defender for servers should be enabled on workspaces 


Microsoft Defender for SQL on machines should be enabled on workspaces 


Microsoft Defender for Containers should be enabled on AWS connectors 


FIGURE 2-5 Enable Microsoft Defender security control 
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Enabling Azure Defender 


To enable Azure Defender, you can click each recommendation and follow the remediation 
steps, go to the Price & Settings option in the left navigation pane, select the subscription, 
and select the plans you want to utilize. To review the pricing selection, click the Price & Set- 
tings option in the left navigation pane, and under Management, click the subscription on 
which you want to enable Azure Defender. The Azure Defender plans page will appear, as 
shown in Figure 2-6. 
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FIGURE 2-6 Pricing page showing the different Azure Defender plans 


On this page, you can change the toggle to ON or OFF, where ON means that the Azure De- 
fender plan is enabled on the selected subscription. While most of the Azure Defender plans can 
only be enabled on the subscription level, there are a couple that can be enabled individually: 

m Azure Defender for SQL (Azure SQL Database) 
m Azure Defender for Storage (Storage) 

In both cases, you can toggle these to the OFF setting on this page, and you can go to each 
Azure SQL database or each Azure Storage account and enable Azure Defender from there. 
You might do this if the business requirement is to save cost by only enabling Azure Defender 


for SQL or Azure Defender for Storage on a company’s most critical assets, rather than enabling 
them for the entire subscription. 


Make sure to analyze the business requirements that will guide you when deciding whether 
to disable it at the subscription level and enable it on each resource. If you need to enable 
Azure Defender in scale, you can also use ARM Templates or Azure Policy. 
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Skill 2-2: Plan and implement the use of data connectors 
for ingestion of data sources in Azure Defender 


When you upgrade from Azure Security Center to Azure Defender, you can start monitoring 
the security posture of different cloud providers, including Amazon Web Service (AWS) and 
Google Cloud Platform (GCP). Ingesting data from these platforms is a mandatory step when 
you need to have visibility across different workloads located in multiple cloud providers. This 
section covers the skills necessary to plan and implement the use of data connectors for inges- 
tion of data sources in Azure Defender according to the SC-200 exam outline. 


Identify data sources to be ingested for Azure Defender 


Azure Defender supports the integration of partner security solutions, such as vulnerability 
assessment by Qualys and Rapid7. It can also integrate with the Microsoft Azure Web Applica- 
tion Firewall on the Azure Application Gateway. The advantage of using this integration varies 
according to the solution. For vulnerability assessment, the agent can be provisioned using the 
license you already have for the product (Qualys or Rapid7). Follow these steps to access the 
Security Solutions dashboard: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe search bar, type security, and under Services, click Security Center. 


3. In Security Center main dashboard, in the Management section, click Security Solu- 
tions. The Security Solutions page appears, as shown in Figure 2-7. 
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FIGURE 2-7 Security Solutions page with the connected solutions and available data sources 
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The Connected Solutions section is populated according to the solutions that were already 
deployed. The deployment of the solution will vary according to the vendor. For vulnerability 
assessment, you will deploy the agent based on the Azure Security Center recommendation 
indicating that your machine is missing a vulnerability assessment. The Add Data Source sec- 
tion of this page allows you to: 


m Onboard anon-Azure machine In this scenario, you will need to select the work- 
space in which the Log Analytics (LA) agent will report to, Then you will need to obtain 
the workspace ID and key, deploy the agent to the server, and configure it to use the 
workspace ID and key based on your workspace’s selection. 


= Connect toa SIEM platform In this scenario, you need to configure an Azure Event 
Hub, stream the data from Azure Defender to this Event Hub, and configure the SIEM 
to obtain the info from the Event Hub using a SIEM connector. The SIEM connector will 
vary according to the supported vendor (Splunk, ArcSight, QRadar, or Palo Alto). Keep 
in mind that you don't need to use an Event Hub if you are connecting Azure Defender 
with Azure Sentinel. In this case, you just need to use the Azure Defender connector in 
Azure Sentinel. 


= Azure Web Application Firewall (WAF) In this scenario, the goal is to surface the 
Azure WAF logs in the Azure Defender Security Alerts Dashboard. Note that this inte- 
gration only works for WAF v1. 


Configure automated onboarding for Azure resources and 
data collection 

PaaS-related resources in Azure don't require an agent to work, which means that as long as 
you have the Azure Defender plan enabled on the subscription level, the subsequential re- 
sources will automatically have Azure Defender enabled on them. For example, if the technical 
requirement is to have Azure Defender for Storage enabled on all existing and new storage 
accounts, you just need to enable Azure Defender for Storage at the subscription level. 


As mentioned earlier in this chapter, when dealing with Azure VMs (laaS scenario), you will 
need to install the LA Agent. For Azure VMs, this agent can be auto-provisioned based on the 
auto-provisioning settings that were configured at the subscription level. To change these set- 
tings, follow these steps: 


1. Open Azure portal and sign in with a user who has Security Admin privileges. 
2. Inthe left navigation menu, click Security Center. 


3. Inthe Security Center's left navigation menu, under Management, click the Pricing & 
Settings option. 


4. Click the subscription for which you want to review the auto-provisioning settings. 


5. Inthe Settings section on the left, click Auto Provisioning. The Auto Provisioning 
settings appear, as shown in Figure 2-8. 
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FIGURE 2-8 Auto Provisioning settings in Security Center 


In the Configuration section for the Log Analytics Agent For Azure VMs, click Edit 
Configuration. 

In the Extension Deployment Configuration blade shown in Figure 2-9, the default 
setting, Connect Azure VMs To The Default Workspace(s) Created By Security 
Center, allows Security Center to manage the workspace. Use this option if you can 
select another workspace to be used by Security Center. This is the preferred option 
when you have multiple subscriptions and want to centralize the workspace. 


Extension deployment configuration x 
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Workspace configuration 
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Connect Azure VMs to a different workspace 
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FIGURE 2-9 Options to control the workspace and data collection 
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NOTE AUTO-PROVISIONING AGENT ON VMSS AND KUBERNETES 


At the time that this book was written, the Auto-Provisioning agent was not available for 
VM Scale Set (VMSS) and Azure Kubernetes. To install the agent on those services, you need 
to configure an Azure Policy to deploy it. 


In the Store Additional Raw Data section, you can configure the level of data collection 
granularity for Windows systems. Each setting will determine the type of events that will be 
collected. If you are using a Group Policy Object (GPO) to configure your servers where the 
agent will be installed, we recommended that you enable the Process Creation Event 4688 
audit policy and the CommandLine field inside event 4688. Audit Process Creation determines 
whether the operating system generates audit events when a process is created (starts). Infor- 
mation includes the name of the program or the user who created the process. Following is a 
summary of what each option collects: 


= AllEvents Ifyou select this option, all security events will be stored in your workspace. 


= Common When you select this option, only a subset of events will be stored in your 
workspace. Microsoft considers these events—including login and logout events—to 
provide sufficient detail to represent a reasonable audit trail. Other events, such as 
Kerberos operations, security group changes, and more, are included based on industry 
consensus as to what constitutes a full audit trail. 


= Minimal Choosing this setting results in the storage of fewer events than the Com- 
mon setting, although we aren't sure how many fewer events or what types of events 
are omitted. Microsoft worked with customers to ensure that this configuration surfaces 
enough events that successful breaches are detected and that important low-volume 
events are recorded. However, logout events aren't recorded, so it doesn't support a 
full user audit trail. 


m None This option disables security event storage. 


To enable data collection for Adaptive Application Controls, Security Center configures a 
local AppLocker policy in Audit mode to allow all applications. This will cause AppLocker to 
generate events that are then collected and stored in your workspace. It is important to note 
that this policy will not be configured on any machines on which there is already a configured 
AppLocker policy. To collect Windows Filtering Platform Event ID 5156, you need to enable 
the Audit Filtering Platform Connection: Auditpol /set /subcategory:"Filtering Platform 


Connection" /Success:Enable. 


MOREINFO WINDOWS EVENT ID 


For details about the event ID that is collected for Windows, see http://aka.ms/ascdatacollection. 
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Connect on-premises computers 


As explained previously, VMs that are in Azure will be provisioned automatically, which means 
that the monitoring agent will be automatically installed. If you need to onboard on-premises 
computers, you will need to install the agent manually. Follow the steps below to onboard 
non-Azure computers or VMs: 


Open Azure portal and sign in with a user who has Security Admin privileges. 
In the left navigation menu, click Defender for Cloud. 


In the Defender for Cloud left navigation menu, under General, click the Getting 
Started option and click the Get Started tab. 


Under Add Non-Azure Computers, click the Configure button, as shown in Figure 2-10. 
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FIGURE 2-10 Option to onboard non-Azure computers 


In the Add New Non-Azure Computers blade, select the workspace in which you want 
to store the data from these computers, and before onboarding any computer, make sure 
to click Upgrade to upgrade the Workspace to Microsoft Defender for Cloud, as shown in 
Figure 2-11. 
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FIGURE 2-11 Upgrading the workspace to Microsoft Defender for Cloud 
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6. 


If the Upgrade button did not change to + Add Servers, click the Refresh button, and 
you should see the + Add Servers button, as shown in Figure 2-12. Click Add Servers 
to proceed. 
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FIGURE 2-12 Adding servers to the workspace 


Once you click the + Add Servers button, the Agents Management page appears, 
as shown in Figure 2-13. 
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FIGURE 2-13 Agents Management 


On this page, click the appropriate Windows agent (64-bit or 32-bit version). If you are 
installing the agent on a Linux operating system, click the Linux Servers tab and follow 
the instructions from there. Make sure to copy the Workspace ID and Primary Key 
values to the clipboard; you will need those values when installing the agent on the 
target system. 
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9. When you finish downloading it, you can close the Security Center dashboard (close 
your browser) and copy the agent installation file to a shared network location where 
the client can access it. 

For this example, the agent installation will be done on an on-premises Windows Server 
2016 computer, though the same set of procedures apply to anon-Azure VM located ina 
different cloud provider. Log in on the target system and follow the steps below to perform 
the installation: 

1. Double-click in the MMASetup-AMD64.exe file, and if the Open File—Security Warning 
dialog appears, click Run. 


2. Ifthe User Access Control dialog appears, click Yes. 
3. On the Welcome To The Microsoft Monitoring Agent Setup Wizard page, click Next. 
4. Read the Microsoft License Terms and click I Agree. 


5. Inthe Destination Folder page, leave the default selection and click Next. The Agent 
Setup Options page appears, as shown in Figure 2-14. 


4 Microsoft Monitoring Agent Setup x 


Agent Setup Options 
Specify setup options for this installation of Microsoft Monitoring Agent. 


Enable local collection of IntelliTrace logs (requires .NET Framework 3.5 
or higher) 
This installs a PowerShell interface for gathering advanced application diagnostics data in 
local iTrace files. 


Connect the agent to Azure Log Analytics (OMS) 


Connects the agent to the Microsoft Azure Log Analytics (OMS) service and lets you to 
choose the workspace that the agent uses to register with. For more information, see 
https: //www.microsoft.com/oms. 


go Connect the agent to System Center Operations Manager 


This connects the agent to System Center Operations Manager and lets you specify the 
management group for which this agent will participate in monitoring. 
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FIGURE 2-14 Selecting the target service 


6. Select Connect The Agent To Azure Log Analytics (OMS), as shown in Figure 2-14, 
and click Next. The Azure Log Analytics page appears, as shown in Figure 2-15. 


7. On this page, you need to enter the Workspace ID and Workspace Key that were 
obtained in step 8 of the previous procedure. Notice that the primary key should be 
entered in the Workspace Key field. If this computer is behind a proxy server, you need 
to click the Advanced button and provide the Proxy URL and authentication if needed. 
Once you finish filling in these options, click Next. 
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Microsoft Monitoring Agent Setup K 


Azure Log Analytics 
Connect the agent to an Azure Log Analytics workspace. 


Workspace ID: 


Workspace Key: | E o j | 


Azure Cloud: Azure Commercial Y 


Your workspace ID and key are available within the Azure Log Analytics portal. The Log 
Analytics portal for Azure Commercial is at https://www.microsoft.com/oms/. 


Click Advanced to provide HTTP proxy configuration. 
Advanced 


When you click Next, these properties will be validated by the Azure Log Analytics 
service. 


< Back Next > Cancel 


FIGURE 2-15 Providing the workspace ID and primary key 


8. On the Microsoft Update page, select Use Microsoft Update For Updates 
(Recommended) and click Next. 


9. On the Ready To Install page, review the summary field and click Install. 

10. The Installing The Microsoft Monitoring Agent page appears, and the installation 
proceeds. 

11. Once the installation is finished, the Microsoft Monitoring Agent Configuration 
Completed Successfully page appears. Click Finish. 

You can also perform this installation using the command-line interface (CLI). Use the 


following code: 


MMASetup-AMD64.exe /Q:A /R:N /C:"setup.exe /qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_ 
WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<yourworkspaceID> OPINSIGHTS_ 
WORKSPACE_KEY=<yourworkspaceprimarykey> AcceptEndUserLicenseAgreement=1" 


Most of the parameters that you saw in the agent installation are self-explanatory. The only 
one that isn’t immediately obvious is the OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE parameter, 
which is the cloud environment specification. The default is 0, which represents the Azure com- 


mercial cloud. You should only use 1 if you are installing the agent in an Azure government cloud. 


It can take some time for this new non-Azure computer to appear in Security Center. If you 
want to validate the connectivity between this computer and the workspace, you can use the 
TestCloudConnection tool. On the target computer, open the command prompt and navi- 
gate to the \Program Files\Microsoft Monitoring Agent\Agent folder. From there, execute 
the TestCloudConnection.exe command, and if the connectivity is working properly, you 
should see all tests followed by this message: Connectivity test passed for all hosts for 


workspace id <workspace id>. 
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Connect AWS cloud resources 


For Azure Defender to connect with AWS, the target AWS account must have AWS Security 
Hub enabled on it. AWS Security Hub has a cost associated to it, which varies according to the 
number of accounts and regions where it is enabled. 


Once the AWS connector is operational, you will start seeing security recommendations for 
AWS appearing in the Security Center Recommendations Dashboard. However, before config- 
uring the AWS connector, you will need to: do the following: 


1. Configure AWS Security Hub in the target account: 

m Enable AWS Config with the console. 

m Enable AWS Security Hub and confirm that there is data flowing to it. 
2. Configure AWS authentication, which can be by creating these roles: 

m An IAM role for Security Center 

m An AWS user for Security Center 


3. Regardless of the authentication method you selected previously, make sure that this 
role/user has the following permissions policies: 


m SecurityAudit 
= AmazonSSMAutomationRole 
m AWSSecurityHubReadOnlyAccess 


4. When configuring the Account ID in AWS, make sure to use this Microsoft Account ID: 
158177204117. 


With those steps in place, you are ready to configure the Cloud Connector. If you also want 
to onboard servers that are in AWS, you will need to ensure that the following three tasks are 
done before configuring the cloud connector in Azure Defender: 


1. Install the AWS Systems Manager on your Servers (EC2 instance) that reside in AWS. 
For instructions, see http://aka.ms/ascbookaws. 


2. Configure this Server (EC2 Instance) to use Azure Arc. For instructions, see 
http://aka.ms/ascbookarc. 


3. In Azure, make sure to create a service principal that will be used for Azure Arc. To con- 
figure that service principal, follow the steps from this article: http://aka.ms/ascbookspn. 


Now that all prerequisites are fulfilled, you can follow the steps below to start the configura- 
tion of the AWS connector in Security Center: 


1. Open Azure portal and sign in with a user who has ownership privileges in the subscription. 


2. Inthe left navigation menu, click Security Center. 
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3. 


In the Security Center's left navigation menu, under Management, click the Environ- 
ment settings option, click Add environment button, click Amazon Web Services 
option. The Add account page appears, as shown in Figure 2-16: 


Add account 


Amazon Web Services (preview) 


O Account details 


Connector name * 
Onboard * © 
Subscription * © 


Resource group* @ 


Location * 


AWS account Id * 


Enter a descriptive name for the cloud account connector and choose where to save the connector resource. 


Select a name 


(@) Single account O Management account 


Visual Studio Ultimate with MSON v 
vw 
Create new 
East US MA 
Enter Id 


Previous Next : Select plans > 


FIGURE 2-16 Connect AWS Account 


In the Account details type the connector name in Display name field. 


In the Onboard section select the type of account, in this case select Single account, 
select the appropriate Subscription from the drop down menu, the Resource group, 


the Location and AWS account id. Click Next: select plans button to continue. 


Figure 2-17 shows an example of the next page in this wizard. 
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Add account 


Gie derals © Select plans 
Select plans 


© wen keeping asra than one vai 
Plan name & Description 


WB map yana mangaran 


HL 


FIGURE 2-17 Options to enable different Defender for Cloud plans in the connector 


6. Inthe Select plans page, you will have the option to enable Defender for Servers and 
Defender for Containers plans. For this example, leave only Security posture manage- 
ment selected and click Next:Configure access button. You may receive a pop up 
message emphasizing that you should enable Defender for Servers for full protection, 
click Deny button to continue. 


7. Follow the steps shown in the screen, see example from Figure 2-18, to download the 
template and run in AWS. 


Add account 


Amazon Web Services (preview) 
iv} Account details iv} Select plans © Configure access 
g Click to download the CloudFormation template 


4 Click to download the CloudFormation template 


@ Create Stack in AWS 


Next, you will need to log into your AWS account. 

1. Click “Go to AWS' 

2. In AWS, click ‘Choose file’ and select the downloaded template 
3. Click "Next" and ‘Create stack’ 


Go to AWS 
Next: and generate > 


FIGURE 2-18 Final steps to prepare the AWS environment 
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After sometime, you will be able to see recommendations for your AWS account. In the 
search box, you can type AWS, and you will see all AWS-related recommendations, as shown 
in Figure 2-19. 


a states 2 Selected commendation tuts 2 Selected ar date mat AN Savery Al =e => 
aseran type All 6 a rasana exemptions AB tawone ll 

i jem score Bote eones Resousce hesith Ma 
Enable MFA © AL + O% (pont ees 
Ensure AWS Config ts enakked in al region: e = 
a hg should be enabled s —————_ 
Api 40 MANAN 1% a 
e = 
' -as sot — 
s e— 
O Enare AWS Contig is enabled in aë regions @ toe —— 
A Aws Config should be enabied DEF p 


FIGURE 2-19 AWS-related recommendations 


At this point, your Azure Arc machines will be discovered, but you still need to install the 
Log Analytics agent on those machines. There is a specific recommendation for that, as shown 
in Figure 2-20. 


Log Analytics agent should be installed on your Windows-based Azure Arc machines 


& View policy definition “E Open query 
Severity Freshness interval 
| High © 24 Hours 
~ Description 


v Remediation steps 
A^ Affected resources 


Unhealthy resources (0) Healthy resources (1 Not applicable resources (0 


(] Name ta Subscription 


FIGURE 2-20 Recommendation to install the Log Analytics agent on the Azure Arc machine 


You can leverage the Quick Fix feature to deploy the agent to this Azure Arc machine 
quickly. You just need to select the server and click the Remediate button. As mentioned in 
the freshness interval description, it might take 24 hours for this remediation to take effect. 


Connect GCP cloud resources 


For Azure Defender to connect with GCP, the target GCP account must have Google Security 
Command Center. Google Security Command Center has two pricing tiers: Standard (free) and 
Premium (paid). The free tier includes 12 recommendations, and the premium tier includes 
about 120 recommendations. 
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When connecting your GCP accounts to specific Azure subscriptions, you need to take into 
consideration the Google Cloud resource hierarchy. Based on this hierarchy, you can 


= Connect your GCP accounts to ASC at the organization level 
= Connect multiple organizations to one Azure subscription 


= Connect multiple organizations to multiple Azure subscriptions 


IMPORTANT ALL PROJECTS ADDED 


When you connect an organization, all projects within that organization are added to 
Security Center. 


Now that you understand the prerequisites, you will need to prepare the settings on GCP prior 
to deploy the GCP Connector in Azure Defender. Perform the following operations in GCP: 


= Configure GCP Security Command Center. 

m Enable Security Health Analytics. 

m Enable GCP Security Command Center API. 

m Create a dedicated service account for the security configuration integration. 
m Create a private key for the dedicated service account. 


With all prerequisites fulfilled, you can follow the steps below to start the configuration of 
the GCP connector in Azure Defender: 
1. Open Azure portal and sign in with a user who has ownership privileges in the 
subscription. 
2. Inthe left navigation menu, click Security Center. 
3. Inthe Security Center's left navigation menu, under Management, click the Cloud 


Connectors option and click the Add AWS account button. The Connect AWS 
Account page appears, as shown in Figure 2-21. 


Connect GCP account 


Q GCP authentication 


Display name * 

Subscription * G Select subscriptio WÉ 
Organization ID * 

GCP private key file * Select a file E 


FIGURE 2-21 Connect GCP Account 


4. Inthe Display Name field, type a name for this connector. 


5. Inthe Subscription drop-down menu, select the Azure subscription that you want to 
connect with (where the GCP recommendations will appear). 
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6. Select the appropriate Location in the drop down list and in the GCP project Id type 
the identification number for the Google Project. Click Next: Select plans button to 
continue. 


7. Inthe Select plans, the experience is similar to AWS, leave the default selection and 
click Next: configure access to continue. 


8. Inthe Configure access, click Copy button, click GCP Cloud Shell button, paste the 
script and run. Once if finish to run, navigate back to the wizard, click Next: Review and 
generate button and conclude the configuration by clicking Create button. 


The security recommendations for your GCP resources will appear in the Defender for Cloud 
Recommendations Dashboard and in the regulatory compliance dashboard between 5 and 
10 minutes after the onboard process is completed. To view only the GCP recommendations, 
you can also change the Environment filter in the security Recommendations Dashboard to 
filter for GCP only, as shown in Figure 2-22. 


Corer status 2 Selected lecommencaton stats 2 Selected Recommendation maturity : Al Severity : AR =o) 
Resource type All gena acters Al tera ewmptons AR (Environment GOP) 
Controls Man wore Current score Potential score merema Waah resources Resource heath Actions 
Manage scen and permissions 4 se + 6% (3.2 port =< 
A inme that Service Account has no Admin praga @ 2 of 2 0cP rwsoveces —— 
Restat unauthorized netwoed xces ‘ “tn + 2% (1.44 poirt of St re — 
TF inme that the delast netmort dows not exit a a project fo} = 
A inme that ROP access i restricted trom the internet fo} ——= 
Ensen than 5504 access i restricted trom the internet ALA — 
Remediste security configuexbons ‘ 2s p0 + 2% (142 pors — 
A Enmure osogin is enabled tor a Project fo} —=—<— 
Encrypt date n marst 6 4 mnm + O% Opont t 
A Engre that the Cloud SQL database instance requires al in fo} —== 


FIGURE 2-22 GCP recommendations 


0) EKAM TIP 


When studying for the SC-200 exam, make sure you know the exact order of operations that 
must be done in AWS and GCP before going to Microsoft Defender for Cloud to configure 
the connectors. 


Skill 2-3: Manage Microsoft Defender for Cloud 
alert rules 


For the Security Operations Center (SOC) to be effective, it needs to have high-level, qual- 
ity data to be analyzed. For some workloads, the ingestion of raw data is desirable. However, 
over time, SOC Analysts became too busy rationalizing the raw data to identify indications of 
compromise. When using Microsoft Defender for Cloud, you will take advantage of a high- 
level, quality alert that already provides the needed information about an attack and how 

to respond to it. This section of the chapter covers the skills necessary to manage Microsoft 
Defender for Cloud alert rules according to the Exam SC-200 outline. 
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Validate alert configuration 


Azure Defender uses advanced security analytics and machine-learning technologies to evalu- 
ate events across the entire cloud fabric. The security analytics include data from multiple 
sources, including Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), 
the Microsoft Security Response Center (MSRC), and external feeds. This is the core of Azure 
Defender threat detection, and on top of that, there will be different mechanisms of detection 
according to the workload. 

With the continuous change in the threat landscape for different workloads, using a generic 
threat detection that will cover “some scenarios” is not sufficient. For this reason, Azure Defender 
has threat detections that are specific for each supported Azure service. You can enable Azure 
Defender according to the scenarios for which you want to have threat detection. At the time 
this book was written, the following options were available: 

m Azure Defender for Servers 

= Azure Defender for App Service 

m Azure Defender for SQL Database 

m Azure Defender for SQL on machines 

= Azure Defender for Storage 

m Azure Defender for Azure Kubernetes (AKS) 

m Azure Defender for Azure Container Registries (ACR) 
m Azure Defender for Key Vault 

m Azure Defender for Resource Manager 

m Azure Defender for DNS 

Each one of those options can be enabled separately, and you have 30 days free to try those 
detections. There is not much configuration for alerts, and you don’t need to create custom 
rules or enable specific options. You only need to enable the Azure Defender plan, and at that 
point, you might receive an alert if suspicious activity is detected. 

The number of security alerts you see in the Security Alerts Dashboard can vary depending 
on the number of resources that you are monitoring with Azure Defender and the business 
itself. Some organizations receive more attacks than others, which means they have more 
security alerts. You can validate the alert using the Create Sample Alerts feature. Follow the 
procedures below to do that: 

1. Open Azure portal and sign in with a user who has Security Admin privileges. 


2. Inthe left navigation menu, click Security Center. 


3. Inthe Security Center's left navigation menu, under General, click the Security 
Alerts option. 
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4. Inthe top-right corner, click Create Sample Alerts option. The Create Sample Alerts 
(Preview) blade appears, as shown in Figure 2-23. 


Create sample alerts (Preview) x 


Try Azure Defender alerts by creating sample alerts from our different Azure Defender plans 
Learn more >> 


Subscriptions 


ee Trial {v 


Azure Defender plans 


Create sample alerts 


FIGURE 2-23 Create Sample Alerts 


5. Inthe Subscriptions drop-down menu, select the subscription for which you want to 
generate the sample alert. 


6. Click the Azure Defender plans drop-down menu, click Select All to uncheck all plans, 
and select only Virtual Machines. 


7. Click the Create Sample Alerts button to generate the sample alerts. 


After a few minutes, you will see six sample alerts appear in the Security Alert Dashboard, 
as shown in Figure 2-24. 


06 62 Active alerts by severity 


eoecoecoo?; 
900000 


FIGURE 2-24 Security Alert Dashboard with the sample alerts for VMs 


By default, the Security Alert Dashboard presents the alerts indexed by severity, but you can 
use the filtering options to change the severities that you want to see. You can also filter by: 


= Subscription Ifyou have multiple subscriptions selected, you can customize which 
subscriptions you want to see alerts from. 


m Status By default, only Active is selected. Also, you can change it to see alerts that 
were dismissed. 
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= Time Allows you to configure the timeline of the alerts that you can see (up to the 
three last months). 
= Add Filter Allows you to add more filters that are not visible by default. 
In addition to the filters, you can also use the search box to search for alert ID, alert title, or 
affected resource. Once you find the alert that you want, you can click it, and the alert details 
page appears, as shown in Figure 2-25. 


Digital currency mining related behavior detected 


Sample alert 


High 25 Active © 01/08/21, 03:59 PM (UT... 


v 
Severity Status Activity time 


Alert description 


THIS ISA SAMPLE ALERT: Analysis of host data on Sample VM detected the execution ot a 
process or command normally associated with digital currency mining. 
Affected resource 


Sample-VM 
Virtual machine 


Visual Studio Ultimate with MSDN 
Subscnption 


MITRE ATT&CK® tactics © 


© Execution 
C] 
wo X 
TERR | Take action | 


FIGURE 2-25 Alert details page 


This initial page allows you to review the alert's details and change the status from Active 
to Dismissed. You also have a graphical representation of where the alerts fit into the Mitre 
ATT&CK Tactics framework. 


MOREINFO MITRE ATT&CK TACTICS FRAMEWORK 


You can obtain more information about this framework at https://attack.mitre.org/versions/v7/. 


After reviewing the alert's details, you can obtain more granular information accessing the 
alert's full page. To do that, click the View Full Details button, which will make the full alert 
page appear, as shown in Figure 2-26. 
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Security alert 2 


Digital currency mining related behavior 


detected sample alert 


High Active KG 9 01/08/21, 0. Sample-account sample exe 


ee 


Alert description 


Related entities 


v Account (1 
MITRE ATT&CK® tactics EA Account 
v Dren 
o y BA Hona 
< 
/ Host logon session (1) 
v EE Process (2) 
v Was this useful? (C) yes C) No x 


FIGURE 2-26 Alert details page 


The right part of the full alert page shows more details that are relevant for the alert. In the 
bottom part of the page is the Related Entities section, which enumerates the relevant entities 
(Related Entities, including Account, File, Host, Host Logon Session, and Process) that were used 
during this attack. Keep in mind that the related entities will vary according to the alert type and 
whether those entities were used. Although the example shown in Figure 2-26 is from a sample 
alert, the fields shown in this alert type are the same ones that you would see in a real live alert. 


Another important option on this page is the Take Action tab, which contains relevant 
information to mitigate the threat highlighted in this alert, the recommendations that could be 
remediated to prevent future attacks, the option to trigger a Logic App automation, and the 
option to create a suppression rule. Figure 2-27 shows an example of the content of this tab. 
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Alert details Take action 


^ MB Mitigate the threat 


Review with Sample-account the suspicious command process and command line to confirm that this is 
legitimate activity that you expect to see on Sample-VM. If not, escalate the alert to the information security 


team. 


You have 4 more alerts on the affected resource, View all >> 


> 


© Prevent future attacks 
Solving security recommendations can prevent future attacks by reducing attack surface. 
v [A] Trigger automated response 


w © Suppress similar alerts 


FIGURE 2-27 Take Action tab with the available options for an alert 


Set up email notifications 


When high-fidelity alerts are triggered, you might want to notify the right people about those 
alerts to ensure you give the right level of visibility and awareness. By configuring the email no- 
tifications option in Azure Security Center, you will be able to establish who should be notified 
and what they should be notified about by selecting the alert's severity. This option is natively 
available in Azure Security Center, which means you don't have to upgrade to Azure Defender 
to use this feature. 


It is important to emphasize that Security Center limits the volume of outgoing mails. This 
is an important step to avoid email fatigue to the recipients. This limitation is applied for each 
subscription based on the alert’s severity as shown below: 


m High-severity alert Maximum of one email per 6 hours (4 emails per day) 
= Medium-severity alert Maximum of one email per 12 hours (2 emails per day) 
= Low-severity alert Maximum of 1 email per 24 hours 


You can configure the alert severity about which you want to be notified. Follow the steps 
below to configure the email notifications in Azure Security Center: 


1. Open Azure portal and sign in with a user who has Security Admin privileges. 
2. Inthe left navigation menu, click Security Center. 


3. Inthe Security Center's left navigation menu, under Management, click the Pricing & 
Settings option. 


4. Click the subscription for which you want to change this setting. 
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On the Azure Defender Plans page, under Settings on the left, click Email Notifica- 
tions. The Email Notifications page appears, as shown in Figure 2-28. 


B save 


Email recipients 


ct who'll get the email notifications from Azure Security Center for the ASC DEMO subscription 


Notification types 


© Vou receive a maximum of ane email per & hours for high-seve 


FIGURE 2-28 Email notifications options 


In the Email Recipients section, click the All Users With The Following Roles drop- 
down menu and select the user role that you want to notify via email. The available 
options are Owner, AccountAdmin, ServiceAdmin, and Contributor. You can select 
more than one role. 


In the Additional Email Addresses field, you can add other email addresses that you 
also want to notify. 


In the Notification Types section, you have the option to select the alert severity in the 
Notify About Alerts With The Following Severity (Or Higher) drop-down menu. 


Once you finish the configuration, click the Save button to commit the changes. 


Create and manage alert suppression rules 


There are some scenarios in which you might want to dismiss an alert because you consider a 
false positive for your environment. A typical scenario is when organizations are going through 
a pentest (penetration test) exercise conducted by their red team, there are some alerts that 
start getting triggered, and they want to suppress it to avoid noise and alert pollution. For 
those scenarios, you can leverage the alert suppression feature. To create or delete an alert 
suppression rule, you need to have Security Admin or an Owner privileges. To view alert 
suppression rules, you need to have Security Reader or Reader privileges. 


Before configuring the alert suppression, you should identify the exact alert that you want 
to suppress and for how long the suppression rule should be active. Is important to establish 
an expiration date for the rule because you don't want to be blind to this alert forever. Usually, 
those suppression scenarios are happening for a reason, and for the most part, these reasons 
are happening because of a temporary circumstance. Follow the steps below to configure an 
alert suppression rule: 


1. 


Open Azure portal and sign in with a user who has Security Admin privileges. 
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In the left navigation menu, click Security Center. 
In the Security Center's left navigation, under General, click the Security Alerts option. 


In the Security Alerts Dashboard, click the Suppression Rules option, and the Suppres- 
sion Rules page appears, as shown in Figure 2-29. 


Suppression rules 


Subsenpton Name t4 Rule Last Modified t4 Expiration Date t4 Rule State 


FIGURE 2-29 Suppression Rules page 


Click the Create New Suppression Rule option, and the New Suppression Rule blade 
appears, as shown in Figure 2-30. 


New suppression rule x 


^ Rule Conditions 


> 


Rule details 


Rule expiration 


date and time for this rule 


2021 


Test your rule Simulate 
Apply Cancel 


FIGURE 2-30 New Suppression Rule 
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6. Inthe Rule Conditions section, click the Subscription drop-down menu and select the 
subscription to which you want to apply this rule. 


7. Under Alerts, select Custom, and in the drop-down menu, select the alert that you 
want to suppress. For this example, select the Suspicious PHP Execution Detected 
sample alert. 


8. Under the Entities option, you can make the suppression more granular by choosing 
specific fields from the alert that should match with the rule to be suppressed. You can 
click the plus sign button (+) to add multiple entities. Just keep in mind that when you 
do that, the suppression rule will only apply if both conditions are true. In other words, 
there is an AND between each entity field. For this example, leave this selection as is. 


9. In the Rule Details section, under Rule Name, type a name for this rule. (The rule name 
cannot have any spaces.) For this example, type PHPSuppression. 


10. Under State, leave the default option, which is Enabled. 


11. Under Reason, you can select the most appropriate option in the drop-down menu. 
For this example, select Other, and under Comment, type suppression for red 
team exercise. 


12. Under Rule Expiration, configure the rule for two months from the day that you are 
configuring. 


13. To validate the rule, click the Simulate button, and you will see the result right under 
the Test Your Rule option. 


14. Click the Apply button to commit the change and create the rule; the rule appears in 
the Suppression Rules page, as shown in Figure 2-31. 


Rule Name Ta Subscription Name Tè Rule Last Modified 7. Expiration Date Ta Rule State 


FIGURE 2-31 Suppression rule created 


The next time this alert is triggered, it will be automatically suppressed. It is important to men- 
tion that suppressed alerts are still available for you to see. You just need to change the filter in 
the Security Alerts Dashboard to see alerts that were dismissed. If you are using the Continuous 
Export feature to export all alerts to the Log Analytics workspace, the suppressed alerts will also 
be available in the workspace. You just need to run a query to list all dismissed alerts. 


Skill 2-4: Configure automation and remediation 


Automation is a very important component for any SOC to operate at an optimal level. Auto- 
mating response for alerts can save time and reduce the likelihood that a threat actor will con- 
tinue infiltrating the environment and perform more malicious actions. This section covers the 
skills necessary to configure automation and remediation based on the Exam SC-200 outline. 
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Configure automated response in Azure Security Center 


Azure Security Center utilizes the workflow automation feature to expedite an automated 
response for recommendations and alerts. Response for recommendations is more applicable 
to the cloud security posture management scenario. Response for alerts is more applicable to 
a cloud workload protection platform scenario, which is the scenario that SOC Analysts will be 
primarily working on. 

Workflow automation leverages Azure Logic Apps as the automation engine, and within the 
Logic App, you have almost unlimited possibilities to automate processes. To create a workflow 
automation, you need Security Admin role privileges or have Owner privileges on the re- 
source group. In addition to that, you also you also must have write permissions on the target 
resource. Prior to creating the workflow automation, you need to create a Logic App that will 
be used by the automation. To work with Azure Logic Apps workflows, you must also have 
Logic App Contributor permissions to create or modify an existing Logic App. 


To enable automation, the workflow automation feature brings additional trigger types to 
Logic Apps, which are: 


m The When An Azure Security Center Recommendation Is Created Or Triggered 
trigger will start a Logic App Playbook in the following conditions: 


m Aresource has been added to a recommendation as a result of an ASC assessment. 


m Aresource status has changed within a recommendation as a result of an ASC assess- 
ment, where the resource status can be healthy, unhealthy, or not applicable. 


m ALogic App is manually triggered from a recommendation within ASC. 


m The When An Azure Security Center Alert Is Created Or Triggered trigger will start 
a Logic App Playbook in the following conditions: 


m An alert is created in Azure Defender. 
m From an alert, the Logic App is manually triggered. 


The first trigger type will help you to create several types of automation artifacts. For exam- 
ple, you could let the Logic App create a ServiceNow ticket if a new alert is created and notify 
the incident response team about this new alert. You could also auto-remediate or quarantine 
resources if they are part of an alert. Every time Azure Security Center triggers the Logic App, it 
will send a lot of information that you can use for further steps, including 


= Name of the assessment as a GUID 
m Assessment ID 
m The recommendation’s display name 


= Metadata information for the recommendation, including a description, remediation 
steps, and severity 


m Resource details, including the resource ID 
m Status code (healthy, unhealthy, or not applicable) 


= Adeep link to the assessment result in the recommendations blade 
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This information can then be used within the Logic App, either for storing it or for notifying 
someone, but it also can be used to retrieve further information from other APIs, such as the 
different Azure Security Center REST API providers. 


If you want to auto-remediate a resource, the information about the resource and the as- 
sessment/recommendation helps you determine the next steps. To create a workflow automa- 
tion, follow these steps below: 

1. Open the Azure portal and sign in with a user who has Security Admin privileges. 
2. Inthe left navigation pane, click Security Center. 
3. Inthe left navigation pane, in the Management section, select Workflow Automa- 


tion, and then click + Add Workflow Automation. The Add Workflow Automation 
blade appears, as shown in Figure 2-32. 


Add workflow automation x 


Name * 


reat detect s v 


Alert name contains 


Alert severity * 


All severities selected v 


Actions 


FIGURE 2-32 Add Workflow Automation 


4. Entera Name, and select the Subscription and Resource Group in which you want to 
store the workflow configuration. 
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5. From the Select Security Center Data Types drop-down menu, you can choose 
Threat Detection Alerts or Security Center Recommendation. This will determine 
the trigger type upon which the workflow will react. Notice that the blade will change 
depending on your selection. For this example, select Threat Detection Alerts. 


6. Under the Alert Name Condition, type the name of the alert, which is based on the 
Azure Defender plan that will trigger the alert. 


7. From the Alert Severity drop-down menu, select the severity of the alert that you want 
to automate the response. 


8. Under Actions, select the subscription from which you are going to retrieve the Logic 
Apps, In the Logic App Name drop-down menu, select the Logic App that will have the 
automation that you previously created. 


9. Click the Create button. 


Design and configure a playbook in Azure Defender 


Playbooks are collections of procedures that can be run from Azure Defender in response to an 
alert. Although the term playbook doesn't appear in the dashboard, it is a term that is com- 
monly used by security professionals when referring to a collection of instructions that can 
help automate and orchestrate a response to an incident. Playbooks in Azure Defender are 
based on workflows built into Azure Logic Apps. 


When planning the implementation of playbooks for Azure Defender, you need to design 
your solution based on the business and technical requirements. For example, if the technical 
requirement is to automatically run a playbook if a particular alert is triggered, you will need to 
use the workflow automation feature. Suppose the requirement is to allow security operations 
analysts to manually execute a playbook when they are reviewing the alerts. In that case, you 
don't need to use the workflow automation, but you need to create the playbook in Logic Apps 
and make it available to be used on-demand. 


Before starting the Logic App creation, you need to determine what you want to accom- 
plish. That's why it is so important to first establish the workflow of actions and then validate 
the actions with the team. Only after that can you start the implementation. For this example, 
the goal is to send an email to the incident response team with the details about an alert and 
the remediation steps. The security analyst who is going to triage the events will trigger this 
Logic App once they identify an alert that needs escalation. 


The steps to configure the workflow automation are the same as explained in the previous 
section. Follow the steps below to configure a new playbook using Logic Apps: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 
2. Inthe search bar, type logic apps, and under Services, click Logic Apps. 
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3. 


6. 


On the Logic Apps page, click the + Add button; the Create A Logic App page appears, 
as shown in Figure 2-33. 


Create a logic app 


Basics Tags Review + create 
Create workflows leveraging hundreds of connectors and the visual designer. Learn more B 


Project detalls 


Select the subscnp 
manage all your re 


manage deployed resources and costs. Use resource groups like folders to organize and 


Subscription * Buildeny 


Resource group * v 


Create new 


Instance details 


Logic app name * Enter name 


Region * East US and 


en 


ntegration service environment * 


Enable log analytics g 


Analytics workspace * 


Review + create Next : Tags > Download a template for automation C 


FIGURE 2-33 Options to create a new Logic App automation 


In the Project Details section, select the subscription that will host the Logic App and 
the resource group. 


In the Instance Details section, type a name for the Logic App and select the region. 
Optionally, you could also associate this Logic App with an existing integration service 
and push the Logic App runtime events to a Log Analytics workspace. For this example, 
leave the default selection and click the Review + Create button. 


Click the Create button to finish the configuration. 
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7. The Microsoft.Empty Workflow page appears. Click the Go To Resource button, and 


the Logic Apps Designer page appears, as shown in Figure 2-34. 


Logic Apps Designer 


When a message is When a HTTP When a new tweet 5 When an Event Grid 
received in a Service request s recenved posted resource event 
Bus queve 


occurs 
Recurrence When a new emai is When a new file is a When a fite is added 
receted in a created on OneOrive to FIP server 
Outionk com = 


Category’) A 


Sort by 

Blank Logic App = Azure Monitor Auto ther Azure Delete old Azure 
fa Metrics Alert blobs based on the a blebs 
ES) nener lust moditied time 6) 


+ 


FIGURE 2-34 Logic Apps Designer main page 


8. On this page, you can either select one of the templates available or create a new one 


from scratch. For this example, click the Blank Logic App tile, and the Logic Apps 
Designer page appears, as shown in Figure 2-35. 


Home > Microsoft.EmptyWorkflow > PlaybookYD 
Logic Apps Designer 
</> Code view [@] Parameters 


fim Templates Æ connectors ? Help © info 


For You All Built-in Standard Enterprise Custom 


lear 


FIGURE 2-35 Starting anew Logic App from scratch 
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In the Search Connectors And Triggers field, type Security Center. You will see 
the connectors available under All and the options to activate the connector under 
Triggers, as shown in Figure 2-36. 


| PD security center 


For You All Built-in Standard Enterprise Custom 
Request Security Security Security 
Center Alert Center... Center... 


Triggers Actions 


When an Azure Security Center alert is manually triggered (Obsolete — see description) 
Request 


When an Azure Security Center Alert is created or triggered 
Security Center Alert 


When an Azure Security Center Recommendation is created or triggered 
Security Center Recommendation 


When a Security Center Regulatory Compliance Assessment is created or triggered (preview) 


Security Center Regulatory Compliance 


FIGURE 2-36 Selecting the trigger for the workflow 


10. Because the intent here is to create a playbook of actions that will be used for an alert, 


[a] When an Azure Security Center Alert is created or triggered 


No additional information is needed for this step. You will be able to use the outputs in 


subsequent steps. 


Connected to Security Center Alert. Change connection. 


+ New step 


FIGURE 2-37 Selecting a new step for the workflow 
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select the When An Azure Security Center Alert Is Created Or Triggered option 
under Triggers. The + New Step page shown in Figure 2-37 appears. 


CHAPTER 2 
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11. Click the + New Step button, and on the Choose An Operation page, click the All tab, 
as shown in Figure 2-38. 


EJ Choose an operation x 


JP Search conn and action 
For You All Built-in Standard Enterprise Custom 
Control HTTP Inline Code Service Bus SQL Server Azure Office 365 
Functions Outlook 
Triggers Actions See more 


Response 
Request cd 


Extract document information (preview) j 


jexghts gen. Document & more Da 


Generate document (preview) 
jexghts gen. Document & more ” 


Book new appointment (preview) 
10to8 Appointment Scheduling ® 


Create a contact (preview) 
Act! 


Adobe Creative Cloud © 


g Get asset contents using asset id (preview) 


FIGURE 2-38 Selecting a built-in connector 


12. Under All, click the Office 365 Outlook icon; under Actions, click the Send An Email 
(V2) option. The Send An Email (V2) dialog box will appear, as shown in Figure 2-39. 


Connected to Change connection. 


FIGURE 2-39 Dialog box for configuring the automated message 
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13. In the To field, type the email for the incident response team. 

14. In the Subject field, type the subject for this automated email. 

15. In the Body field, click in the Specify The Body Of The Mail area, and the dynamic 
content floating menu appears. This menu allows you to add fields from the Azure 
Defender alert to the email message. Figure 2-40 shows an example of how the fields 
can be inserted in the body of the email. 


"Bod Font Y2vBIU SEE e 


A new alert with E] Severity x 


[a] Alert Display Name x contains the following information 


G Description x 
= Compromised Entity x 


The following steps are recommended to remediate this alert: 


was triggered. The alert 


Remediation Steps x 


Add dynamic content El 


FIGURE 2-40 Dynamic content inserted in the body of the email 


16. Click the Save button. 


Now that the Logic App is created, you can choose to link this Logic App to a workflow 
automation or for the automation to trigger manually from the alert itself. To trigger from the 
alert, open the Security Alerts Dashboard, select the alert you want to triage, and click the 
Take Action button. From there, you can click the Trigger Logic App button in the Trigger 
Automated Response section, as shown in Figure 2-41. 


A [A] Trigger automated response 


Trigger Logic App as an automated response to this security alert You can get suggested responses in the ASC Community GilHub Repo. 


| Trigger Logic App 


FIGURE 2-41 Manually triggering an existing Logic App 


Remediate incidents by using Azure Defender 
recommendations 


Although alerts are based on actions that have already taken place, you can always learn from 
them and ensure that you implement the necessary steps to remediate and prevent them from 
happening again. 

When an alert is triggered, you will have a substantial amount of information to rational- 
ize to better understand what happened in that situation. By reviewing the alert, you will be 
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able to answer five main questions that are important for your investigation. The questions are 
shown in the alert blade, as shown in Figure 2-42. 


When did it happen? What should I do? 


Security alert # 6 


Ọ Failed SSH brute force attack Alert detalis | Take act 
ive j 


11/05/20, 1. 
What happened? = 


Affected resource 
Which resource was attacked? sl nag maitre 
Where is the resource located? — T 


ae 
MITRE ATT&CK® tactics 


Related entities 


E Account (28) 
v EB roster 


FIGURE 2-42 Answers to the major investigation’s questions 


It is important to emphasize that not all alerts will have the same level of information; it real- 
ly depends on the type of threat and the analytics for that threat. As you can see in Figure 2-42, 
there is a tab called Take Action, which has important information that will help you to know 
what needs to be done. The information in this tab will also vary according to the alert and the 
current conditions of the environment because Azure Defender will look at relevant security 
recommendations that were not remediated and could have contributed for this scenario to 
occur. See Figure 2-43. 


On this page, you can follow the steps under Mitigate The Threat to take reactive actions 
to remediate this alert. Keep in mind that these are initial suggestions to mitigate, but depend- 
ing on the environment and the stage of the attack, other actions might need to be performed 
in addition to those steps. 


An Azure Defender alert also creates this important correlation between the attacked 
resource and the security recommendations that are open for that resource. This helps create 
a link between the incident response team (reactive work) and the cloud security posture man- 
agement team (proactive work). 
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Alert details Take action 


^ &@ Mitigate the threat 


1. In case this is an Azure virtual machine, add the suvurce IP lu NSG bluck list fur 24 hvurs (see 
https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/) 

2. Enforce the use of strong passwords and do not re use them across multiple resources and services (sec 
http://windows.microsoft.com/en-us/Windows7/Tips-for-creating-strong-passwords-and-passphrases) 

3. In case this is an Azure virtual machine. Create an allow list for SSH access in NSG (see 


https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsa/) 


You have 0 more alerts on the affected resource. View all >> 


A © Prevent future attacks 


Your top 3 active security recommendations on to syslogVM: 


High Disk encryption should be applied on virtual machines 
High Management ports of virtual machines should be protected with just-in-time network access control 
| High All network ports should be restricted on network security groups associated to your virtual machine 


Solving security recommendations can prevent future attacks by reducing attack surface. 


View all 9 recommendations >> 


~ |) Trigger automated response 


wb Suppress similar alerts 


FIGURE 2-43 Take Action tab with the mitigation and prevention steps 


Create an automatic response using an Azure Resource 
Manager template 


The workflow automation feature that was covered earlier in this chapter can also be auto- 
mated to be deployed in scale using this Azure policy: Deploy Workflow Automation for Azure 
Security Center alerts (policy ID: f1525828-9a90-4fcf-be48-268cdd02361e). One advantage 
of using this Azure policy to deploy workflow automation is that you can assign this policy 
to the management group level, which means all your subscriptions under the management 
group will inherit this automation. 

Also, you can also use an Azure Resource Manager template (ARM template) to create a 
workflow automation that triggers a Logic App when specific security alerts are received by 
Azure Defender. 


MOREINFO ARM TEMPLATE SAMPLE 
You can view an ARM template sample for this deployment at http://aka.ms/SC200_WFARM. 
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The technical requirements for a scenario dictate whether you are going to use an ARM 
Template to deploy a workflow automation. If you need to deploy in scale and at the beginning 
of the pipeline for all subscriptions in your tenant, the ARM template is a good choice because 
it can be fully deployed with a single click. Keep in mind that the template assumes that you 
already have your Logic App created and that it is functional. That's why it is imperative that 
you correctly design your response prior to creating any type of automation. 


Skill 2-5: Investigate Azure Defender alerts and incidents 


For security analysts, it is imperative to have access to the right information in order to opti- 
mize the time of response. For this reason, is important to have analytics that were created ac- 
cording to the workload that you are monitoring. Azure Defender provides high-quality alerts 
that can be utilized during different types of investigations. This section of the chapter covers 
the skills necessary to investigate Azure Defender alerts and incidents according to the Exam 
SC-200 outline. 


Describe alert types for Azure workloads 


The types of alerts that Azure Defender triggers will depend on the Azure Defender plans that 
are enabled on your subscription. The analytics will be specific for the threat vector of each 
workload, and you can use the information available on the alert to further investigate this 
issue. The sections that follow will cover the available alert types in Azure Defender according 
to the plan. 


Azure Defender for Servers (Windows) 


Azure Defender for Servers detection in Windows looks at Windows Security events, and once it 
finds something suspicious, it triggers an alert. For example, if you execute the following command 
in a VM that is monitored by Azure Defender for Server, it will be considered a suspicious activity: 
powershell -nop -exec bypass -EncodedCommand "cABvAHCAZQByAHMAaAB 1 AGwAbAAgACOAYwWBv 
AGOAbQBhAG4AZAAGACIAJ gAgAHSATABpAHcAcgAgAGgAdABOAHAACWAGAC8ALWBKAG8AdWBUAGWAbWBhAGQAL 
gBzAHkAcwBpAG4AdAB 1 AHIAbgBhAGwAcwAUAGMAbwBtAC8AZgBpAGWAZQBZAC8AUWB SAHMAbBQBVAG4AL gB6AGK 


AcAAgACOATWB 1AHQARGBpAGwAZQAgAGMAOgBcAHQAZQBtAHAAXABZAHYAYWBoAG8Acw 
BOAC4AZQB4AGUATAB9ACIA" 


PowerShell is a very powerful tool, and as you can see at the MITRE ATT&CK site (https:// 
attack. mitre.org/techniques/T1086/), PowerShell has been used in many attack campaigns. 
When Azure Defender for Servers detects the PowerShell execution with the encoding com- 
mand, it raises an alert for what the user is trying to hide. In this case, the command below 
downloads the sysmon.zip file from the SysInternals website and saves it in the C:\temp 
folder with the svhost.exe name: 


powershell -command "& { iwr https://download.sysinternals.com/files/Sysmon.zip -OutFile 
c:\temp\svchost.exe }" 
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PowerShell encoding to download malware from command and control isa common mali- 
cious pattern, so Defender for Server will raise an alert. 


MOREINFO DEFENDER FOR SERVERS (WINDOWS) ALERTS 


You can see the list of all alerts that can be generated by Defender for Servers (Windows) at 
http://aka.ms/sc200_azdefwindows. 


Defender for Servers (Linux) 


When Linux detection was first released, AuditD had to be installed in the Linux operating 
system. While AuditD provides a great amount of info that can be used to detect threats, 
not all Linux distros will have AuditD installed by default. For this reason, the latest change in 
behavior for Linux detections was to bake into the LA agent the necessary elements that will 
collect relevant data. 


MOREINFO DEFENDER FOR SERVERS (LINUX) ALERTS 


You can see the list of all alerts that can be generated by Defender for Servers (Linux) at 
http://aka.ms/sc200_azdeflinux. 


Defender for Containers 


Defender for Containers provides two layers of protection to enhance the level of detection. 
Keep in mind that to have this layer of detection, you need to install the Log Analytics Agent 
for Linux on the Kubernetes nodes. 


AKS cluster-level threat detection is covered by Defender for Containers (agentless 
solution). This threat detection is based on continuous analysis of Kubernetes’ audit logs. 
Figure 2-44 shows an example of an alert that can be generated based on the Kubernetes log 
analysis done by Defender for Containers. 


MOREINFO DEFENDER FOR AKS ALERTS 


You can see the list of all alerts that can be generated by Defender for Containers at 
https://aka.ms/azdforaks. 
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Home > Security Center > Exposed Kuhemetes dashboard detected 


Security alert 2 & 


2517919279700372359 | 2bd-d44, -~Sb47-880b- 136442765768 

0 Exposed Kubernetes dashboard Alert details Take action 

detected — 
z sass es = Service name Username 

High 34 Active a 9 01/11/21... 

Severiey Statue Sane kubernetes dashboard ext masterclient 
Alert description Detected by 
Kubemetes audit Ing analysis detected expasure of the Kubemetes BE Microsoft 


Dashboard by a Load#alancer service. 
Exposed dashboard allows an unauthenticated access to the cluster 


management and poses a security threat. Bak 
Affected resource 
larget port 


ASC IGNITE DEMO 
Kubemetes service 9090 


? ASC DEMO 
Subscription 


> 
Wa 
ao 


Related entities 


wv WA Azure resource (1) 
MITRE ATT&CK® tactics ( 


e Initial Access 


a Next Take Action >> 


FIGURE 2-44 Alert generated by Azure Defender for Kubernetes 


Azure Defender for App Service 


Azure App Service is a service for hosting web applications, REST APIs, and mobile back ends. 
It enables you to develop in many languages, such as .NET, .NET Core, Java, Ruby, Node.js, PHP, 
or Python. Applications run and scale on both Windows and Linux. 


Azure Defender leverages the scale of the cloud to identify attacks on App Service applica- 
tions while focusing on emerging attacks while attackers are in the reconnaissance phase. While 
in the reconnaissance phase, attackers are scanning multiple Azure websites to identify vulner- 
abilities. Figure 2-45 shows an example of an alert generated by Azure Defender for App Service. 


MOREINFO DEFENDER FOR APP SERVICE ALERTS 


You can see the list of all alerts that can be generated by Azure Defender for App Service at 
https://aka.ms/sc200_azdefappservice. 
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Phishing content hosted on Azure Webapps 


Sample alert 


High 2S Active Ka © 04/24/21, 01:17 PM (UT... 


Severity Status Activity time 


Alert description 


THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices 
website. This URL was part of a phishing attack sent to 0365 customers. The content 
typically lure visitors into entering their corporate credentials or financial information into 
a legitimate looking website. 


Affected resource 
®© Sample-App 
Web application laas 


? BuildEnv 
Subscription 


MITRE ATT&CK® tactics © 


e Collection 


View full details | Take action 


FIGURE 2-45 Alert generated by Azure Defender for App Service 


Azure Defender for Storage 


Azure Defender for Storage can be enabled for data stored in Azure Blob, Azure Files, and 
Azure Data Lakes Storage (ADLS) Gen2. You can enable Azure Defender for Storage on the 
subscription level, just like any other plan, and you can also enable it only on the storage 
accounts that you want to protect. 


Alerts generated by Azure Defender for Storage can occur when there are suspicious 
access patterns, such as an access from a Tor exit node. Another scenario that an alert can be 
triggered is when there are suspicious activities in the storage account, such as an unusual 
change of access permission. Figure 2-46 has a sample alert for Azure Defender for Storage: 


Skill 2-5: Investigate Azure Defender alerts and incidents CHAPTER 2 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


167 


Unusual amount of data extracted from a storage 5> 


account Sample alert 


High 25 Active - © 01/05/21, 04:14 AM (UT... 


Severity Status Activity time 


Alert description 


THIS IS A SAMPLE ALERT: Someone has extracted an unusual amount of data from your 
Azure Storage account 'Sample-Storage’. 
Affected resource 


===" Sample-Storage 
=== Storage account 


? ASC DEMO 
Subscription 


MITRE ATT&CK® tactics @ 


e Exfiltration 


le 


Eee | Take action | 


FIGURE 2-46 Sample alert for Azure Defender for Storage 


In 2020, the hash reputation analysis for Storage, which is a major addition to Azure 
Defender for Storage was released. To add an extra layer of security, Azure Defender for 
Storage analyzes files that are uploaded using hash reputation, which leverages Microsoft 
Threat Intelligence. It is very important to emphasize that this is not an antimalware scan for 
storage. Instead, this feature inspects the storage logs and compares the hashes of newly 
uploaded files with information about known viruses, trojans, spyware, and ransomware. 


MORE INFO DEFENDER FOR STORAGE ALERTS 


You can see the list of all alerts that can be generated by Azure Defender for Storage at 
https://aka.ms/sc200_azdefstorage. 


HAPTER2 Mitigate threats using Azure Defender 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Azure Defender for SQL 


Azure Defender for SQL is a protection plan that helps you to mitigate potential database vul- 
nerabilities and detect anomalous activities that may indicate threats against your databases. 
Azure Defender for SQL has evolved over the years and currently has two major plans: 


= Azure Defender for Azure SQL database servers Includes Azure SQL Database, 
Azure SQL Managed Instance, and Dedicated SQL pool in Azure Synapse 

= Azure Defender for SQL servers on machines Includes SQL Server running on VMs 
in Azure, on-premises, or in another cloud provider 


Azure Defender for SQL provides threat detects for anomalous activities indicating unusual 
and potentially harmful attempts to access or exploit databases. Figure 2-47 has an example of 
an alert triggered by this plan. 


. » 
@ Potential SQL Brute Force attempt sample alert 


High 25 Active ne © 11/11/20, 05:25 AM (UTC... 


Severity Status Activity time 


Alert description 


THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL 
server 'Sample-SQL'. 


Affected resource 


Sample-DB 


? Tal Rosler 
Subscription 


MITRE ATT&CK® tactics © 


e Pre-attack 


E 


View full details | Take action | 


FIGURE 2-47 Sample alert for Azure Defender for SQL 
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The Azure Defender for Azure SQL database servers can be easily enabled on the subscrip- 
tion level or in an Azure SQL database that you want; no agent is required. However, to use the 
Azure Defender for SQL servers on machines, you need to enable the plan on the subscription 
level, and you must onboard the server, which means provisioning the Log Analytics agent 
on SQL Server. If your VMs are in Azure, you just need to use the auto-provisioning option in 
Azure Security Center to automatically onboard the Log Analytics Agent to your Azure VMs. 


Another recent scenario is the integration with Azure Arc, which allows a deeper integra- 
tion across different scenarios. It is recommended that you use Azure Arc for your SQL Servers 
on-premises or in different cloud providers (AWS and GCP), and once they are fully onboarded, 
you can deploy the Log Analytics Agent. 


MOREINFO DEFENDER FOR SQL ALERTS 


You can see the list of all alerts that can be generated by Azure Defender for SQL at 
https://aka.ms/sc200_azdsgq]. 


Azure Defender for Key Vault 


Azure Defender for Key Vault uses machine learning to detects unusual and potentially harm- 
ful attempts to access or exploit Key Vault accounts. Unlike Azure Defender for Storage, the 
only option to enable Azure Defender for Key Vault is to enable it on the entire subscription. 
Figure 2-48 shows an Azure Defender for Key Vault sample alert. 


@ User accessed high volume of Key Vaults Sample alert 


Medium nS Active F © 01/05/21, 04:14 AM (UTC-... 


Severity Status Activity time 
Alert description 
THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of 
Key Vault operations has been performed compared to past historical data, Key Vaults typical 
exhibit the same behavior over time. This may be a legitimate change in activity but may also 


indicate that your Key Vault infrastructure has been compromised warranting further 
investigation 


Affected resource 


@® Sample-KV 
Key vault 

ASC DEMO 

Subscription 


View full details “Take action 


FIGURE 2-48 Azure Defender for Key Vault sample alert 
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MORE INFO DEFENDER FOR KEY VAULT ALERTS 


You can see the list of all alerts that can be generated by Azure Defender for Key Vault at 
http://aka.ms/AzDefKeyVaultAlerts. 


Azure Defender for Resource Manager 


The Azure Resource Manager (ARM) is the deployment and management service for Azure. 
ARM provides a management layer that allows you to create, update, and delete resources in 
your Azure account. These operations can be done via Azure portal, PowerShell, Azure CLI, 
REST APIs, and client SDKs. 


Threat actors who are targeting ARM will most likely use toolkits such as Microbust to dis- 
cover weak configurations and to perform post-exploitation actions, such as credential dump- 
ing. Azure Defender for Resource Manager uses advanced security analytics to detect threats 
and trigger an alert when a suspicious activity happens. 


Besides the detection of the Microbust toolkit, Azure Defender for Resource Manager can 
also detect suspicious resource management operations, which include suspicious IP address- 
es, the action of disabling the antimalware, and the execution of suspicious scripts in virtual 
machine extensions. It can also detect lateral movement from the Azure management layer to 
the Azure resources data plane. Figure 2-49 shows an example of this alert: Antimalware File 
Exclusion In Your Virtual Machine. 


Antimalware file exclusion in your virtual machine 
(Preview) 


Medium 22 Active v Ð 01/18/21, 03:28 PM (UT... 


Severity Status Activity time 


Alert description 


File excluded trom your antimalware scanner on your virtual machine. This was detected 
by analyzing Azure Resource Manager operations in y ubscription. 

Attackers might exclude files from the antimalw an on your virtual machine to 
prevent detection while running unauthorized tools or infecting the machine with 


malware. 


Affected resource 


[e] ASCThirdFdition 


Virtual machine 
Visual Studio Ultimate with MSDN 
Subscription 


MITRE ATT&CK® tactics © 


e Defense Evasion > 


View full details Take action 


FIGURE 2-49 Antimalware file exclusion performed at the resource manager layer 
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MORE INFO DEFENDER FOR RESOURCE MANAGER ALERTS 


You can see the list of all alerts that can be generated by Azure Defender for Resource Man- 
ager at http://aka.ms/ASCBookAzDefARMAlerts. 


Azure Defender for DNS 


Azure Defender for DNS can identify DNS phishing attacks by analyzing DNS transactions and 
identifying requests for a possible phishing domain. Such activity is frequently performed by 
threat actors to harvest credentials and move them to remote services. This activity is usually 
followed by exploitation of any credentials on the legitimate service. Also, Azure Defender for 
DNS can identify the following: 


DNS tunneling, which can be used to exfiltrate data from your Azure resources 


Malware communicating with a command-and-control server 
= Communication with malicious domains for phishing or cryptomining 
= Communication with malicious DNS resolvers 


Figure 2-50 shows an example of a suspicious activity detected by Azure Defender for DNS, 
based on an analysis of DNS transactions. 


Network intrusion detection signature activation 


(Preview) 
Medium => Active w © 01/18/21, 04:37 PM (UT... 
Severity Status Actrvity time 


Alert description 


Analysis of DNS transactions from %{Compromisedéntity} detected a known malicious 
network signature. Such activity, while possibly legitimate user behaviour, is frequently an 


indication of the download or execution of malicious are. Ty 


vate. Typical related attacker 
activity is likely to include the dovenioad and execution of further malicious software or 
remote administration tools. 


Affected resource 


[6] ASCTHIRDEDITION 
Virtual machine 
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FIGURE 2-50 Suspicious DNS activity triggered the Azure Defender for DNS alert 
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MORE INFO DEFENDER FOR DNS ALERTS 


You can see the list of all alerts that can be generated by Azure Defender for Resource Man- 
ager at http://aka.ms/ASCBookAzDefDNSAlerts. 


Manage security alerts 


Security operations analysts who are going to triage the alerts and take actions to remediate 
need to be familiar with Azure Defender Security Alerts Dashboard. Using the Security Alerts 
Dashboard, security operation analysts can create filters to narrow down the information that 
is Most interesting to them at that moment. 


To access the Security Alerts Dashboard and view the alerts, you just need Security Reader 
privilege. If you need to dismiss an alert, you will need Security Admin privileges. Follow the 
steps below to access the Security Alerts Dashboard: 


1. 
2. 
3. 


Open Azure portal and sign in with a user who has Security Admin privileges. 
In the left navigation menu, click Security Center. 


In the Security Center's left navigation menu, under General, click the Security Alerts 
option. The Security Alerts Dashboard appears, as shown in Figure 2-51. 
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FIGURE 2-51 Security Alerts Dashboard 


If you have multiple subscriptions selected in your portal, you can change the Subscrip- 
tion filter to visualize only the necessary alerts. 


You can also filter by the following fields: 

m Status You can visualize all active alerts or alerts that were dismissed. 

m Severity To focus only on the severity that you need to investigate, you can also 
filter by the alert’s severity. 


= Time Ifyou need to investigate an alert that occurred in a specific time frame, you 
can filter by time, which is based on days or months. 
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= AlertName If you want to investigate a particular alert that took place across 
multiple resources, you can also filter by the alert name. 


= Affected Resource Sometimes, you need to investigate the resource that was 
attacked to see if there are multiple alerts associated with that resource. This filter 
can be used for that. 


= Resource Type Because there are many resource types in Azure, you might have 
scenarios where you need to investigate all alerts that occurred for a particular 
resource type. For example, you can use this filter if you want to see all alerts for 
resource type equals to Storage. 


= MITRE ATT&CK Tactics You can use this filter if you need to identify all alerts that 
were triggered and identified as part of a particular phase of the MITRE ATT&CK 
framework. For example, you need to know all attacks that occurred during the 
execution phase of the MITRE framework. 


m Tags You can use this filter if you need to identify all alerts that were triggered to 
resources that have a specific tag. 


m Owner You can use this filter if you need to identify alerts that were triggered on 
resources that belong to a specific owner. 


6. Once you finish configuring the filter, you will see only the information you need. At this 
point, you just need to open the alert by clicking it. The alert preview page appears, as 
shown in Figure 2-52. 


Attempted logon by a potentially harmful 
application 


Medium 2° Active ae © 03/09/21, 09:33 AM (UT... 


Severity Status Activity time 
Alert description 
A potentially harmful application attempted to access your resource, 
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FIGURE 2-52 Alert preview page 
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7. To visualize all the details about the alert, click the View Full Details button, and the full 
alert page appears, as shown in Figure 2-53. 


Security alert 2 


Attempted logon by a potentially harmful 
application 


Medasm Active 
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FIGURE 2-53 Full Security Alert visualization 


8. On this page, you can explore all the alert's details and the related entities. In the Take 
Action tab, you can see remediation options, and you can trigger playbooks created via 
Logic App, as shown previously in this chapter. 


Once you obtain all information you need from this page, you can close it and go back to 
the Security Alerts Dashboard. 


Manage security incidents 


Azure Defender has a type of alert called a security incident, which is raised in the console 
whenever the system identifies multiple alerts that, when correlated with each other, indicate 
that those alerts belong to the same attack. A security incident uses the fusion capability to 
correlate the alerts that appear to be related to each other. 


Figure 2-54 shows an example of what such an attack campaign might look like and what 
alerts might be raised at the various stages of a cyberkill chain. The figure shows a highly sim- 
plified version of the cyberkill chain outlined earlier to make it easier to understand how fusion 
alerts work. 
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FIGURE 2-54 Azure Defender detections across the cyberkill chain 


Following is the sequencing shown in Figure 2-54: 


1. Targetand attack In this phase, Azure Defender detects what appears to be a brute- 
force attack against the Remote Desktop Protocol (RDP) server on a VM. This determi- 
nation is made by comparing a baseline of RDP connections to the VM and the current 
rate of RDP login attempts, along with other factors related to RDP logins. 


2. Installand exploit Here, Azure Defender detects the execution of a suspicious pro- 
cess on the VM. This suspicious process could be predefined (known-bad malware), or it 
could be a process that wasn't executed on the machine during previous baselines and 
is therefore unrecognized. (For example, maybe the process is launched by software 
recently installed by the admin.) You'll have to correlate this event with other events to 
find out. 


3. Postbreach At this point, Azure Defender has detected what appears to be a com- 
munication channel established between the VM and a known-malicious IP address 
(probably flagged by a threat-intelligence feed). There's a very good chance that this is 
bad, but there is still a chance that it isn’t. For example, maybe a security researcher ora 
red-team member working for the customer connected to the address on purpose. Yes, 
a connection to a known-bad IP address is serious, but it doesn’t guarantee that the VM 
has been compromised. 


Each phase of the cyberkill chain taken by itself indicates that something bad may be hap- 
pening—but cannot offer you complete certainty. However, when you correlate these find- 
ings, you can be almost 100 percent sure that the VM has been compromised by a brute-force 
RDP attack, that the attacker has installed and run new malware on the machine, and that the 
malware is communicating with a command-and-control server (likely identified by a threat- 
intelligence feed). 


In the Security Alert Dashboard, you can create a filter to visualize only Security Incidents 
that were detected, as shown in Figure 2-55. 
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FIGURE 2-55 Filtering security alerts based on security incident only 


After applying this filter, you will see only security incidents, which have a different icon 
(three connected dots), as shown in Figure 2-56. 


E Severity 4 Alert title Ty 

o | High Ye Security incident detected on multiple resources 
O High Ye Security incident detected on multiple resources 
E Medium Ye Security incident detected on multiple resources 


FIGURE 2-56 Security incidents in Azure Defender 


When you click a security incident and visualize the full details, you will see multiple alerts 
associated with the incident, as shown in Figure 2-57. 
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FIGURE 2-57 Multiple alerts associated with a security incident 
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Analyze Azure Defender threat intelligence 


As you could see throughout this chapter, when Azure Defender identifies a threat, it triggers a 
security alert, which contains detailed information regarding the event, including suggestions 
for remediation. 


For some alerts, Azure Defender will also provide threat intelligence reports to facilitate your 
investigation. These reports contain information about the detected threats, which includes: 


Attacker’s identity or associations (if this information is available) 
Attacker’s objectives 

Current and historical attack campaigns (if this information is available) 
Attacker’s tactics, tools, and procedures 

Associated indicators of compromise (loC) such as URLs and file hashes 


Victimology, which is the industry and geographic prevalence to assist you in determin- 
ing if your Azure resources are at risk 


Mitigation and remediation information 


Keep in mind that this information is not always available for all types of alerts. It’s only avail- 
able for the alerts that Azure Defender can correlate with Microsoft Threat Intelligence. The alert 
shown in Figure 2-58 shows an example of an alert that contains a threat intelligence report. 
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FIGURE 2-58 Alert with enrichment from a threat intelligence report 


Mitigate threats using Azure Defender 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


In the Alert Details tab, there is a link for the report, which in this case is called Report: 
Shadow Copy Delete. By clicking this hyperlink, you can download the PDF that contains the 
detailed information about this threat, as shown in Figure 2-59. 


Microsoft 


THREAT 
INTELLIGENCE 


Threat summary: 
Shadow Copy Delete 


MSTI-TS-Shadow-Copy-Delete 


FIGURE 2-59 Threat intelligence report 


Respond to Azure Defender Key Vault alerts 


As you could see throughout this chapter, Azure Defender alerts are rich in details and infor- 
mation that can assist you when responding to alert and helping you take corrective actions 
to remediate the issue. The SC-200 exam’s outline explicitly calls out the process of responding 
to an alert generated by Azure Defender for Key Vault. Although it has some unique steps, the 
majority of the approach is applicable to most of the other alerts. 

Azure Defender for Key Vault alerts are unique because every alert includes an Object Iden- 
tifier (Object ID), the User Principal Name (UPN), or the IP Address of the suspicious resource. 
It is important to highlight that the availability of this information can also vary according to 
the type of access that occurred. If your Key Vault was accessed by an application, then you will 
not see the associated UPN. If the traffic originated from outside Azure, then you won't see an 
Object ID. With that in mind, we can summarize the response process for an Azure Key Vault 
alert in the following steps: 

= Contact 
m Mitigation 
m Impact 


Take action 
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Contact 


In this step. you need to verify where the traffic is coming from; in other words, did the traffic 
originate from within your Azure tenant? Verify if you have Key Vault Firewall enabled. If you 
do, it’s likely that granted access to the user or application is what triggered the alert. 


If you can identify the source of the traffic as coming from your own tenant, then contact 
the user or application owner. If you are unable to verify the source of the traffic, skip to the 
next step. 


Mitigation 
In this step, you have the assumption that the access shouldn't have been authorized because 


you couldn't determine the source of the traffic in the previous step. If the traffic came from an 
unrecognized IP Address, make sure to: 


= Enable the Azure Key Vault firewall (if you haven't done so already). 
= Configure the firewall to allow only trusted resources and virtual networks. 


However, if the source of the alert was an unauthorized application or suspicious user, make 
sure to configure the Key Vault's access policy settings to remove the corresponding security 
principal or restrict the operations the security principal can perform. 


If the source of the alert has an Azure Active Directory role in your tenant, you should start 
by contacting your administrator and then determine whether you need to reduce or revoke 
Azure Active Directory permissions. 


Impact 
Once the impact of the attack has been mitigated, you need to investigate the secrets in your 
Key Vault that were affected. In this step, you will need to do the following: 

m Review the triggered alert. 

m Review the list of the secrets that were accessed and the timestamp. 


m If you have Key Vault diagnostic logs enabled, review the previous operations for the 
corresponding caller IP, user principal, or object ID. 


Take action 


At this point, you already compiled a list of the secrets, keys, and certificates that were accessed 
by the suspicious user or application. Your next immediate action is to rotate those objects. 


Ensure that affected secrets are disabled or deleted from your Key Vault. If the credentials 
were used for a specific application, you will need to contact the administrator of the applica- 
tion and ask them to audit their environment for any uses of the compromised credentials 
because they were compromised. If the compromised credentials were used, the application 
owner should identify the information that was accessed to mitigate the impact. 
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Manage user data discovered during an investigation 


When the General Data Protection Regulation (GDPR) was created, it was very important to 

Security Center to provide mechanisms to delete personal data from the service in order to allow 
organizations to support their obligations under GDPR. To comply with that, you need to under- 
stand which information can be accessed and which role is reguired to access this information. 


The first important aspect of an investigation when you need to be compliant with GDPR is 
the capability to search and identify personal data. A user who utilizes Security Center can view 
their personal data through Azure portal. It is important to mention that Security Center only 
stores security contact details, such as email addresses and phone numbers. 


Another configuration that can be used to visualize an IP address is the list of allowed IP 
configurations using the just-in-time (JIT) VM access feature in Azure Defender. To access the 
just-in-time policies, the user needs to be assigned to the Reader, Owner, Contributor, or 
Account Administrator roles. To update or delete just-in-time policies, the user needs to be 
assigned to the Owner, Contributor, or Account Administrator roles. 


IP address can also be included in some security alerts provided by Azure Defender, as well 
as the attacker's details. To view security alerts, the user needs to be assigned to the Reader, 
Owner, Contributor, or Account Administrator roles. Keep in mind that alerts can't be de- 
leted, regardless of the role you have. 


It is important to mention that the personal data found in the Security Center contact fea- 
ture doesn't need to be classified. There, you will only see one or multiple email addresses that 
are saved by Security Center. The same recommendation is true for the IP addresses and port 
numbers found in the just-in-time feature in Azure Defender. 


To access the security contact data, the user needs to be assigned the Reader, Owner, 
Contributor, or Account Administrator roles. Only the Reader role will not allow you to 
update or delete the contact information in Security Center. 


Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Monitoring security at Tailwind Traders 


You are one of the Azure administrators for Tailwind Traders, an online general store that 
specializes in a variety of products that are used around the home. Tailwind Traders has been 
using the Azure Security Center free tier and is enabling Azure Defender plans according to 
their needs. 


Thought experiment 
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As a part of your duties for Tailwind Traders, you need to work with the security operations 
center (SOC) to ensure that you have threat detection for the different workloads available in 
your cloud deployment in Azure. Tailwind Traders has five Azure Storage accounts that are uti- 
lized by the sales team. The sales team uses these storage accounts primarily to store files. One 
technical requirement established by the IT security team is that all files that are uploaded by 
the sales team must be flagged if they are considered compromised files, and upon detection, 
an email must be sent to the incident response (IR) team to start the investigation. 


Another technical requirement established by Tailwind Traders’ IT security team is to ensure 
that Servers (Windows or Linux) running in Azure or on-premises are fully monitored in Azure, 
including threat detection and vulnerability assessment. 


Tailwind Traders’ SOC Team wants to avoid alert fatigue. They need to ensure that the alerts 
that are considered false positives for their environment are not going to appear in the dash- 
board for the next six months when they plan to reevaluate their strategy to triage alerts. With 
this information in mind, answer the following questions: 


1. Which Azure Defender plans do you need to enable? 
2. Which feature will allow Tailwind Traders’ SOC team to avoid alert fatigue? 


3. How to ensure the IR Team will receive an email once a compromised file is uploaded 
to the storage? 


4. Is it possible to enable storage protection just for some storage accounts? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. Based on this scenario, you will need to enable Azure Defender for Servers and Azure 
Defender for Storage. 

2. Alert suppression rules. 

3. You will need to create a Logic App to send email to IR and from Azure Security Center 
configure the Workflow Automation feature to trigger the Logic App once an alert 


generated by Azure Defender for Storage is triggered based on the hash reputation of 
the file that was uploaded. 


4. Yes, they can disable Azure Defender for Storage on the subscription level and enable it 
only on the storage accounts they want. 
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Chapter Summary 


m Azure Defender plans that are based on other Azure Platform as a Service (PaaS) 
offerings don’t require a workspace configuration in the beginning. These include 
Azure Defender for Key Vault, Azure Defender for App Service, Azure Defender for 
Resource Manager, Azure Defender for Storage, Azure Defender for Containers 
Registries, Azure Defender for SQL database, and Azure Defender for DNS. 


m By default, there are two roles in Security Center: Security Reader and Security 
Admin. The Security Reader role should be assigned to all users who only need read 
access to the dashboard. The Security Admin role should be assigned for users who 
need to manage the Security Center configuration. If you need a more granular control, 
you can create a custom role. 


m Data retention policy can be configured using Azure Resource Manager (ARM) 
templates by using the retentionInDays parameter. 

m Vulnerability assessment in Azure Defender is done using the built-in integration with 
Qualys, but you can also bring your own license key to deploy Qualys or Rapid? solutions. 

m To connect non-Azure machines from a different cloud provider, you need to install 
Azure Arc and then install the LA Agent. 

m You need to upgrade to Azure Defender to use the AWS and GCP Connector and start 
ingesting information from those platforms. 

m You can create sample alerts for all alerts that are in GA. 

= To create or delete an alert suppression rule, you need to be Security Admin or Owner. 
To view alert suppression rules, you need to be Security Reader or Reader. 


m To configure an automated response in Azure Security Center, you need to create 
a Logic App with the workflow of actions that will be executed and configure the 
workflow automation feature in Azure Security Center. 


m Forsomealerts, Azure Defender will also provide threat intelligence reports to facilitate 
your investigation. These reports contain information about the detected threats. 
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Mitigate threats using 
Azure Sentinel 


Azure Sentinel is a cloud-based SIEM (security information and event management) solu- 
tion. SIEM solutions have been in existence for a number of years, and their key purpose is 
to collect and correlate events across an organization's IT environment to detect anomalous 
activities that might be indicative of a security breach. These alerts can then be dealt with by 
a security operations center (SOC) team to investigate, respond, and mitigate the issue that 
the SIEM has alerted on. Having an effective SIEM is critical to any organization's security 
operations; you might have heard the phrase “that's out of scope... said no attacker ever." 
The fact is that attackers will use any vulnerable assets they find in an IT environment to move 
laterally to find objects of value (data, computer power, and the like), so an organization 
simply cannot afford to have blind spots in their monitoring. Individual security tools might 
pick up one aspect of an attack (such as initial access through a vulnerable endpoint), but 
this alert by itself won't allow an SOC to understand the full scope of the attack and respond 
appropriately. A SIEM allows security operations analysts to correlate events in the wider IT 
environment and understand the seriousness of a breach. 


In this chapter you'll learn about designing an Azure Sentinel workspace, ingesting data 
sources into Azure Sentinel, managing analytics rules, configuring automation, using work- 
books, and hunting for threats using Azure Sentinel. 


Skills covered in this chapter: 
m Design and configure an Azure Sentinel workspace 


m Plan and implement the use of data connectors for the ingestion of data sources into 
Azure Sentinel 


m Manage Azure Sentinel analytics rules 

m Configure Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel 
m Manage Azure Sentinel incidents 

m Use Azure Sentinel workbooks to analyze and interpret data 


= Hunt for threats using the Azure Sentinel portal 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


185 


186 


Skill 3-1: Design and configure an Azure 
Sentinel workspace 


This objective deals with designing and configuring an Azure Sentinel workspace. Because 
Azure Sentinel is a SaaS (Software as a Service) solution, much of the core configuration is 
taken care of for you by Microsoft, but—as with any SaaS—certain aspects of configuration 
that still need to be implemented by each individual organization using the service. 


Plan an Azure Sentinel workspace 


Azure Sentinel is an enrichment layer that sits on top of a Log Analytics workspace. You can- 
not use Azure Sentinel without first having a Log Analytics workspace created in your Azure 
tenant. Log Analytics is where all logs that are ingested into Azure Sentinel are stored. There 
are several aspects of design and architecture to consider before creating your Log Analytics 
workspace(s) for Azure Sentinel. 


First, you must consider the number of workspaces. Where possible, it is recommended that 
you use one central security workspace. However, there are times when this might not be pos- 
sible. The main reasons for requiring a multi-workspace deployment are as follows: 


m If logs need to be kept in a certain jurisdiction for compliance or regulatory require- 
ments for a global organization 


m To reduce Azure region networking egress costs 


m For subsidiary organizations that run their own security operations 


NOTE Remember that Log Analytics and Azure Sentinel have a one-to-one relationship. 
If you choose to have multiple Log Analytics workspaces in your deployment, you will, 

in turn, have multiple Azure Sentinel instances. This chapter will cover management of 
multi-workspace incidents later. 


If you require multiple workspaces, this will take one of two forms: 


= Cross-tenant scenario Where multiple Azure tenants each have Azure Sentinel 
workspaces that need to be centrally managed 


m Cross-workspace scenario Where there are multiple workspaces in one Azure tenant 
that need to be centrally managed 


Azure Sentinel can support scenarios where multiple Azure tenants are involved by using 
Azure Lighthouse, which is an Azure service that allows cross-tenant management, with the 
MSSP managing the customer's Azure Sentinel workspace. This architecture can also be used 
for organizations that have subsidiaries who have their own separate Azure tenants. Figure 3-1 
shows how Azure Lighthouse can be used to manage Azure Sentinel workspaces in different 
Azure tenancies. 
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Customer #1 Azure tenant 


MSSP’s Azure tenant 


FIGURE 3-1 Managing Azure Sentinel workspaces across different Azure tenancies using Azure Lighthouse 


There are many advantages to using Azure Lighthouse if your organization chooses to 
outsource their security operations. Here are a few: 


= All data stays in the end customer's Azure tenant Data is not stored in your MSSP’s 
Azure tenant and is not mixed with other customer data. This preserves data sovereignty 
and allows for straightforward offboarding should the need arise. 


= MSSPs only have access to the Azure resource(s) that the end customer grants 
them This is unlike traditional delegated access in on-premises environments where 
a third-party service provider might have had access to the whole IT environment, even 
when only a specific application is needed. 


= MSSPs get consolidated views of all the customer workspaces they man- 
age They don't have to log in to each Azure Sentinel workspace separately, which is 
inefficient and not scalable. 


MOREINFO RUNNING AZURE SENTINEL USING AZURE LIGHTHOUSE 


You can learn more about running Azure Sentinel with Azure Lighthouse here: 
https://aka.ms/azsentinelmssp. 
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Aside from Azure Lighthouse, there are several features in Log Analytics and Azure Sentinel 
that allow for investigation of incidents across workspaces in the same Azure tenant, as shown 
in Figure 3-2 and discussed in detail later in this chapter: 


m Cross-workspace queries 


m Cross-workspace analytics rules 


Cross-workspace hunting queries 


Cross-workspace workbooks 


Azure tenant America’s workspace 


| 
| 
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FIGURE 3-2 Cross-workspace analytics rules in the same Azure tenant 


Other aspects of Azure Sentinel design to consider are as follows: 


= Azure tenant placement A Log Analytics workspace is an Azure resource, and like 
with any Azure resource, consideration needs to take place for where this will sit. You will 
need to define a subscription, resource group, and region. It is recommended that the 
Log Analytics workspace that you are going to set up Azure Sentinel on top of is placed in 
a separate resource group for simplicity in configuring RBAC (more detail later). You may 
choose to place the workspace in an existing Azure Subscription or in a separate one. 


= Commitment tiers |f you plan to ingest more than 100GB per day into your Azure 
Sentinel workspace, it is worthwhile looking at commitment tiers that give you a 
discount on ingestion compared to pay-as-you-go pricing. Note that even if you don't 
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ingest data up to your commitment tier allotment, you will be charged for it anyway if 
you change commitment tiers. Commitment tiers need to be configured at both the Log 
Analytics and Azure Sentinel level. 


MOREINFO AZURE SENTINEL COMMITMENT TIERS 


You can learn more about Azure Sentinel commitment tiers here: https://azure.microsoft. 


com/pricing/details/azure-sentinel/ 


After you have decided on the number of workspaces and how they will fit into your Azure 
tenancy, you can enable Log Analytics workspace(s) and subsequently Azure Sentinel by per- 
forming the following steps: 

1. Navigate to the Azure portal by opening https://portal.azure.com. 
2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel Workspace. 
The Azure Sentinel page appears, as shown in Figure 3-3. 


PD Search resources, senders, sed Goce (G+ /) 


Azure Sentinel 4 


FIGURE 3-3 Creating anew Log Analytics workspace 


3. Click Create. The Add Azure Sentinel To A Workspace page appears. 
4. Click Create A New Workspace. 
5. The Create Log Analytics Workspace page appears, as shown in Figure 3-4. 


Create Log Analytics workspace 


FIGURE 3-4 Create Log Analytics Workspace page 
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6. Configure the Subscription, Resource Group, and Region for your Log Analytics 
workspace. 


7. Select Pricing Tier, add Tags (if required), and then select Create. Wait for your 
Log Analytics workspace to be provisioned. 


8. Inthe Azure portal, search for Azure Sentinel and select Add on the Azure Sentinel 
page. The Add Azure Sentinel To A Workspace page appears, as shown in Figure 3-5. 


Add Azure Sentinel to a workspace 


2 


FIGURE 3-5 Add Azure Sentinel To A Workspace 


9. Select the Log Analytics workspace on which you want to activate Azure Sentinel. 


Configure Azure Sentinel roles 


As with other Azure resources, Azure Sentinel comes with several built-in Azure roles that you 
can assign to users who need to access your workspace. Remember to adhere to the principle 
of least privilege and always assign the absolute lowest level of privilege that a user requires to 
complete their role. Following are the built-in rules: 


= Azure Sentinel Reader Can view data, incidents, workbooks, and other Azure 
Sentinel resources. 


= Azure Sentinel Responder In addition to the permissions granted by an Azure 
Sentinel Reader role, the Azure Sentinel Responder role allows for managing 
of incidents. 


= Azure Sentinel Contributor In addition to the permissions that Reader and 
Responder roles have, Azure Sentinel Contributor can create and edit workbooks, 
analytics rules, and other Azure Sentinel resources. 


To assign an Azure Sentinel role to a user, perform the following steps: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Resource Groups, and under Services, click Resource Groups. 
The Resource Groups page appears, as shown in Figure 3-6. 
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FIGURE 3-6 The Resource Groups page in the Azure portal 


Select the resource group that your Azure Sentinel workspace is associated with. The 


resource group’s overview page appears. 


From the resource group overview page, select the Access Control (IAM) page, which 


is shown in Figure 3-7. 


Bp Sentinel-RG | Access control (IAM) 
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FIGURE 3-7 Access Control (IAM) for a resource group 
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5. Onthe Access Control (IAM) page, select Add role assignment, as shown in Figure 3-8. 


Home > Resource groups > Sentine! 

Ro Sentinel-RG | Access control (IAM) 

Search (Ctri+ x + add + Download role assignments ©) Refresh x O Got feedback? 
$) Overview x Add role assignment 

nts Roles Roles (Preview) Deny assignments Classic administrators 
E Activity log Add co-admunistrator pan 
Fo Access control (AM) Add custom role this subscription 
@ 1295 0 2000 
$ Events 
Search by name or emai Type : All Role : All Scope : All scopes Group by : Role 

Settings 
T Deployments O items 
© secur E Name Type 

Security 
D policies No user assignments exist 


FIGURE 3-8 Adding a role assignment for a user 


6. The Add Role Assignment blade appears, as shown in Figure 3-9. 


DEFAULT DIRECTORY 


Add role assignment x 


Role © 
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Assign access to © 


| User, group, or service principal Vv | 
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| sarah young | 
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FIGURE 3-9 Add Role Assignment 


7. On the Add Role Assignment blade, search for the Azure Sentinel role you want to 
assign, and in Azure AD, search for the user who you want to assign the role to. 


8. Select Save to add this assignment. 


NOTE Thesteps above detail how to assign Azure Sentinel permissions to a user based on 
the resource group. It is also possible to follow these steps and assign the role at the sub- 
scription or management group level that the workspace is in and the resource group will 
subsequently inherit this permission. However, best practice dictates that roles should be 
added at the resource group level, not at the subscription level or management group level. 
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Design Azure Sentinel data storage 


Earlier in this chapter we explained that Azure Sentinel's data store is Log Analytics, which itself 
is a part of the wider Azure Monitor platform. As the name suggests, Azure Monitor is a suite 
of services in the Azure platform that assist with monitoring. 


TIP When reading Microsoft documentation, you might find that some Log Analytics and 
Sentinel documentation refers to Azure Monitor. Remember, Log Analytics, and therefore 
Azure Sentinel, is a part of the Azure Monitor platform; this isn't a typo or a mistake in 

the documentation. 


Log Analytics is an immutable log store that uses different tables to store the logs that it 
ingests in rows. What this means is that after data has been ingested into a Log Analytics work- 
space, it cannot be changed or amended and will only be removed from the workspace when 
the log reaches its retention period and is aged out of the workspace. 


It is possible to retain data in a Log Analytics workspace for up to 730 days (2 years), but the 
default data retention is set to 30 days. When you activate Azure Sentinel on a Log Analytics 
workspace, you receive up to 90 days of free data retention. Azure Sentinel is priced on inges- 
tion and log retention, so if you choose to retain logs in your workspace for more than 90 days, 
fees will be assessed. It is recommended that you choose a retention period in your workspace 
that balances how far back you are likely to actively query your security logs against the cost 
of retention. 


TIP DATA RETENTION 


You must manually alter the data retention to 90 days after you activate Azure Sentinel on 
a Log Analytics workspace; it is not changed automatically. This is important because when 
data reaches its configured retention limit, it will be automatically purged by Log Analytics, 
and you wouldn't want to not take advantage of your free 90 days of retention! 


Remember that you can set retention periods in Log Analytics on a per-table basis, so 
you can opt to retain certain tables for longer than others to reduce the cost of retaining an 
entire workspace for a longer period. A table that is often kept for longer than others is the 
SecurityIncident table, as this stores details of the security incidents that have been raised by 
Azure Sentinel and querying this table allows for SOC managers to see their SOC’s performance 
metrics, number of incidents raised over time, and so on. Ultimately, a cost/benefit analysis will 
have to be performed to decide what works best for your implementation of Azure Sentinel; 
there are tools such as the Azure Sentinel pricing calculator that can help you with this. 


MOREINFO AZURE SENTINEL PRICING CALCULATOR 


You can learn more about Azure Sentinel pricing at https://azure.microsoft.com/pricing/calculator/ 


To change the data retention settings in your workspace perform the following steps: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 
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2. Inthe Search bar, type Log Analytics, and under Services, click Log Analytics 
Workspace. The Log Analytics Workspace page appears. 


3. Select your workspace, and the Usage And Estimated Costs page appears, as shown 
in Figure 3-10. 


Home > Log Analytics workspaces > Sentinel-Workspace 


© Sentinel-Workspace | Usage and estimated costs 


Log Anatycs workspace 


CÌ Usage details 22 Dailycap © DeteRetenbon CÌ Help 


= Overview Š Your Log Analytics cost depends on your choice of prang ties, data re n and which solu 
estimated monthly cost for each of the available pricing tiers, based on your last 31-days of Log Analytics data ingested, These cost 
on your data ingestion pattems. These estimates inchide the 
ter.. If you have questions about using this page, contact us. Learn 


ns are used. Here you can see the 


@ Activitylog 


Fa Access control (JAM) 


@ nx Pricing Tiers 
@ Diagnose and solve problems 
A Pay-as-you-go q 
Settings Per GB 
Becks The Per GB 2018 pricing tier is r offering Rexible consumption pricing in which you are charged per GB of 
a t t a gested. Th ease the data rete 
Agents management " j retenbon i eam more about Log Analytic 
im Agents configuration POUW 
g Computer Groups Item type Price Monthly usage (last 31 days) Estimated monthly cost 
0g data ingestion ASAP 3 A$0.00 

= Linked storage accounts Log data retention (beye ASO21 ASO00 

Total AS0.00 


> Network Isolation 


FIGURE 3-10 Navigating to the Data Retention settings in a Log Analytics workspace 


4. Select the Usage And Estimated Costs blade. 


5. Select Data Retention and move the slider on the Data Retention blade to your 
desired retention period for your workspace (shown in Figure 3-11) and select OK. 
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FIGURE 3-11 Setting the Data Retention blade to your desired retention period for your workspace 
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Long-term storage of Azure Sentinel data 


Many organizations must adhere to strict data retention requirements for regulatory and com- 
pliance purposes that exceed the maximum 730 days that can be configured in Log Analytics. 
Additionally, keeping data in Log Analytics for the full 730 days that can be configured could 
be prohibitively expensive for a security operations team’s budget. 


There are two options to consider if long-term storage of Azure Sentinel logs is required for 
an implementation: 


= Moving to blob storage 
= Moving to Azure Data Explorer (ADX) 


Sending data directly to blob storage is effectively archiving them and putting them ina 
cold store. This is the cheapest storage option, but the data will require “rehydrating" if they are 
needed to be actively queried again. ADX can be considered a warm store, which means data can 
be queried there. (It even uses the same query language—KQL.) However, the features are basic 
compared to Log Analytics and Azure Sentinel's rich feature set for security operations. 


MOREINFO LONG-TERM RETENTION OF AZURE SENTINEL DATA 


You can learn more about long-term retention options for Azure Sentinel data at 
https://techcommunity.microsoft.com/t5/azure-sentinel/using-azure-data-explorer-for- 
long-term-retention-of-azure/ba-p/1883947. 


Configure Azure Sentinel service security 


Azure Sentinel relies on other services for some of its functionality. This means that to use these 
features, additional permissions other than the built-in Azure Sentinel roles need to be used: 


m Using Playbooks for automation In order to use Playbooks in Azure Sentinel, you 
will also need to assign the Logic App Contributor built-in role because Playbooks are 
part of Azure Logic Apps, which is considered to be a separate Azure resource and thus, 
has its own set of permissions. 


= Connecting data sources to Azure Sentinel A user must have write permissions on 
the Azure Sentinel workspace to be able to add a data source. They might also need ad- 
ditional permissions specific to each data source; these are listed on the connector’s page. 


= Guest users assigning incidents To assign incidents in Azure Sentinel, guest users 
require the Directory Reader permissions to be assigned to them. Note that this role is 
not an Azure role but an Azure Active Directory role and that regular (non-guest) users 
have this role assigned by default. 


= Creating and deleting workbooks In order to create and delete workbooks in Azure 
Sentinel, a user will need to be assigned the Azure Monitor role of Monitoring Con- 
tributor. This is not required for using workbooks. It’s only necessary for creating and 
deleting workbooks. 


Skill 3-1: Design and configure an Azure Sentinel workspace 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


195 


MORE INFO AZURE SENTINEL PERMISSIONS AND BUILT-IN ROLES 


You can learn more about Azure Sentinel permissions and built-in roles at 
https://docs.microsoft.com/azure/sentinel/roles. 


Skill 3-2: Plan and implement the use of data 
connectors for the ingestion of data sources into 
Azure Sentinel 


This objective deals with the planning and implementation of connecting data sources to 
Azure Sentinel. No SIEM solution can function without data sources, so this is a critical aspect 
of creating an effective Azure Sentinel implementation that will successfully protect your 

IT environment. 


Identify data sources to be ingested into Azure Sentinel 


Identifying which data sources to ingest into Azure Sentinel is a critical activity that should ide- 
ally be decided upon before you begin your implementation. Azure Sentinel makes it easy to 
identify data sources that can be connected to the product via the built-in data connectors in 
the data connector gallery. 

As a starting point, we recommend that you review the data connector gallery and identify 
which of these data sources you have in your environment and which ones you want to con- 
nect. Azure Sentinel has an extensive collection of built-in data connectors for both Microsoft 
and third-party products that can be utilized. 


Follow these steps to review the data connector gallery: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel workspace page appears, as shown in Figure 3-12. 


Azure Sentinel 2 


FIGURE 3-12 Selecting the correct Azure Sentinel workspace 
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3. 


4. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears, 
as shown in Figure 3-13. 
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FIGURE 3-13 The Azure Sentinel | Overview page 


Click Data Connectors, which opens the Data Connectors page, as shown in Figure 3-14. 


B Azure Sentinel | Data connectors 


Agani Phishing Detense and Brand Protection (Preview 
Al Analyst Darktrace (Preview 
g Ai Vectra Detect Preview 


Akamai Security Events (Preview) 


FIGURE 3-14 Data Connectors gallery 


Scroll through the gallery and note the data sources that are in your IT environment and 
that you want to ingest. 


Add these data sources to your design document. 
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EXAM TIP 


Microsoft frequently adds new data connectors to Azure Sentinel. Make sure you review the 
Data Connectors gallery on a regular basis, so that you are familiar with the current offer- 
ings before your SC-200 exam. 


Although Azure Sentinel has many built-in data connectors, there might be data sources 
that you need to connect that are not in the gallery. We will cover how you can configure a 
custom connector to ingest these data sources into Sentinel later in the chapter. Meanwhile, 
we will continue to focus on identification of data sources. Many organizations have older, 
on-premises SIEMs that they are migrating away from, and you should review whether the data 
sources ingested by these SIEMs should be redirected to be ingested by Azure Sentinel. 


NOTE MICROSOFT GRAPH SECURITY API 


Organizations who have an incumbent SIEM solution are unlikely to want to migrate all their 
data sources to Azure Sentinel in a big bang approach. It is more likely that the organiza- 
tion runs both SIEMs side-by-side and gradually migrates more and more sources to Azure 
Sentinel, and in due course, the on-premises SIEM is decommissioned. Using the Microsoft 
Graph Security API, Azure Sentinel can integrate with popular on-premises SIEM solutions 
to support this approach while still maintaining a holistic view of security events. You can 
learn more about the Microsoft Graph Security API at https://docs.microsoft.com/en-us/ 
graph/security-concept-overview. 


After reviewing the data connector gallery and the current data sources that are being 
monitored by an organization's incumbent SIEM solution, the last stage of the process is to 
verify whether there are other data sources that need to be connected to Azure Sentinel from 
the IT environment. When setting up or migrating to a new SIEM, it is worthwhile to verify 
there aren't any blind spots in your monitoring setup and that there aren't any assets that have 
not been monitored previously. This can occur for various reasons, including: 


= Difficulty in integrating the data source 
m Volume or noisiness of data source 
m Human error/oversight 


If a data source was previously unable to be integrated into a SIEM, the data source should 
be reassessed to see whether it is more viable to connect it to the SIEM to reduce as many blind 
spots as possible in the environment when moving to a modern solution. 


TIP You might be familiar with the phrase “collection is not detection.” Remember, inges- 
tion charges increase as more data is sent to your workspace, so it is important to only 
ingest data that has use in a security monitoring context. As a rule of thumb, if you're not 
going to run a detection against it or use the data source for hunting, you need to reassess 
whether you should be ingesting it at all. Blindly ingesting as many data sources as possible 
will lead to a very large Azure bill! 
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Free data sources in Azure Sentinel 


There are some data sources that can be ingested into Azure Sentinel free of charge. At the 
time of writing, the following sources could be ingested into a workspace completely free of 
charge when using the built-in Azure Sentinel connector: 


m Azure Activity logs 
m Office 365—Exchange, SharePoint, and Teams logs 


m Security alerts (not raw logs) from Microsoft security products—MCAS, Azure Defender, 
Defender for Identity, Defender for Endpoint, and so on 


NOTE ONLY THE INGESTION IS FREE 


These data sources would accumulate a retention charge if they were retained for more than 
90 days in a workspace; only the ingestion is free. 


TIP CHECK THE FREE DATA SOURCES 


From time to time, Microsoft might change the data sources that are free to ingest. Make 
sure that you check this prior to your exam and—arguably more importantly—prior to an 
implementation, so you or your customer don't get a nasty billing shock! 


Identify the prerequisites for a data connector 


Azure Sentinel makes it easy to understand what prerequisites you need before you can use 

a data connector: they are all listed on each data connector's page. Some data connectors re- 
quire Syslog/CEF connectors or Windows Event collectors to be set up as a prerequisite for use, 
but we'll dive into that in more detail later in this chapter. 


Follow these steps to view the prerequisites for using a data connector: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Data Connectors, which opens the Data Connectors page. 


5. Select the data connector for which you want to view the prerequisites and click the 
Open Connector page button. 
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6. Theconnector’s overview page appears, as shown in Figure 3-15. 


Azure Active Directory 


> = Azure Active Directory instructions M 


B Prerequisites 


To integrate with Azure Active Directory make sure you have 
Workspace: read and write perm 


Y Diagnostic Settings: required read a 


V Tenant Permissions: required 


FIGURE 3-15 Data connector prerequisites 


7. The prerequisites to be able to use the selected data connector can be found in the top- 
right part of the connector's page. 


TIP NOTE ADDITIONAL PERMISSIONS NEEDED 


Some data connector prerequisites will require you to have Azure AD permissions in other 
parts of Azure—not just Azure Sentinel—so take careful note of what additional permis- 
sions you need to be granted to be able to use a data connector. 


Configure and use Azure Sentinel data connectors 


Now that you've identified which data connectors you want to use and have all the prereq- 
uisites in hand, it's time to start configuring your Azure Sentinel data connectors. As always, 
Azure Sentinel tries to make this process as easy and painless as possible for you (you're prob- 
ably noticing a theme here!). 


Following are some examples of the Azure Sentinel data connectors you might connect in 
this manner: 


m Microsoft Cloud App Security (MCAS) 
m Azure Defender 
m Azure Defender for loT 
m Microsoft Defender for Endpoint 
= Microsoft Defender for Identity 
m Microsoft Defender for Office 365 
m Azure Active Directory Identity Protection 
To configure a data connector: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 
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7. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Data Connectors. The Data Connectors page appears. 


Select the data connector that you want to configure and click the Open Connector 
page button. 


The configuration steps to activate the selected data connector can be found on the 
bottom-right of the connector’s page. Configuration steps vary from data connector to 
data connector, as shown in Figures 3-16 and 3-17. 


K Configuration 


Select subscriptions to monitor 
The Azure Activity log subscriptions you select will be monitored by Azure Sentinel. 


Configure Azure Activity logs > 


FIGURE 3-16 Configuration steps for the Azure Activity data connector 
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Connect Azure Active Directory logs to Azure Sentinel 
Select Azure Active Directory log types: 
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FIGURE 3-17 Configuration steps displayed for the Azure Active Directory data connector 


Follow the configuration steps detailed to connect your data source to your workspace. 
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8. After you've connected the data source to your workspace, you can use the data 
connector’s page to check the status of the connector, when the last log was received, 
and the like, as shown in Figure 3-18. 


Azure Activity 


a Azure Activity 


Connected # Microsoft 3 hours ago 
Sa Pr ast Lon R 


Description 
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FIGURE 3-18 Checking the status of the Azure Activity data connector in Azure Sentinel 


NOTE BE PATIENT 


After you have connected a data source, don’t be concerned if you don't see logs being 
received immediately. Depending on the data source, it might take up to a few hours before 
logs will start being ingested from that source into your workspace. 


Design and configure Syslog and CEF event collections 


Syslog and CEF formats are used by a huge range of systems for logging. You'll notice that if 
you review the prerequisites for the built-in Azure Sentinel data connectors that several of 
them use Syslog or CEF collection to ingest logs. 
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TIP DON'T MAKE A CUSTOM CONNECTOR UNNECESSARILY 


If there isn't a native Azure Sentinel data connector for your data source, check to see if that 
source can output logs in Syslog or CEF. Don’t jump right into making a custom connector if 
you don't need to! 


Before we dive in to how to design a collector for these types of logs, let's quickly step back 
and understand what Syslog and CEF are. 


Syslog 

Syslog has been around for a long time in computing terms—it first came into existence in 
the 1980s—and was documented in RFC 3164 in the early 2000s by the IETF. | deliberately use 
the word “documented” rather than “standardized,” as you might be more used saying when 
referring to RFCs. This is because the only consistent part of a Syslog message is the beginning 
portion, where there is a timestamp and IP address or hostname. The contents of the remain- 
ing message can vary from source to source. Syslog logs are sent to the Syslog table. 


Common Event Format (CEF) 


CEF is also known as “Syslog CEF” because CEF is a normalized version of Syslog. It is already 
parsed and formatted, so it requires less work when the log is ingested into a SIEM solution. If 
a data source you want to connect to Azure Sentinel can output in Syslog or CEF, choose CEF! 
CEF logs are sent to the CommonSecurityLog table. CEF logs are formatted like this: 


CEF:Version|Device Vendor|Device Product|Device Version|Signature 


ID|Name|Severity|Extension 


NOTE QUERY TIME PARSING 


Syslog will require further parsing before it can be used, which can be done in KQL using 
query time parsing. Microsoft has written some parsers to get you started. You can learn 
more about query time parsing in Azure Sentinel at https://docs.microsoft.com/en-us/azure/ 
sentinel/normalization#installing-a-parser. 


Syslog/CEF collector architecture options 


The great news is that it doesn’t matter whether you're collecting Syslog or CEF, the agent used 
and architectural considerations are exactly the same. A Syslog/CEF collector for Azure Sentinel 
uses the Linux version of the Log Analytics agent, also known as the OMS agent. 
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TIP INSTALLATION SCRIPT 


Installation of this agent is very simple, and Microsoft provides an installation script that 
you can learn more about at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/ 
agent-linux. 


With regard to the architecture choices for your Syslog/CEF collector, you have two choices: 
Deploy on-premises or deploy in the cloud. Both architectures are supported, so ultimately, you 
will need to decide what works best for your environment. A cloud-based collector offers the 
elasticity and resiliency of cloud resources but might require more on-premises configuration. 
For example, if there is a firewall between the on-premises environment and the network con- 
nection to the Azure cloud (such as via Express Route, VPN, and so on), then ports would need to 
be opened for every Syslog/CEF source to be allowed through to reach the cloud. This might not 
be feasible or acceptable for security teams. In this case, an on-premises collector could better 
serve the implementation. As with so many things in IT implementations, there are pros and cons 
to each choice. These architecture options are shown below in Figures 3-19 and 3-20. 
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FIGURE 3-19 Architecture for an on-premises-based Syslog/CEF collector 
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FIGURE 3-20 Architecture for a cloud-based Syslog/CEF collector 
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TIP EVENTS PER SECOND (EPS) 


Remember to size your collectors appropriately depending on the number of events per 
second (EPS) that you expect to collect from your environment. A single log forwarder 
machine using the rsyslog daemon has a supported capacity of up to 8500 EPS. 


Design and configure Windows Events collections 


Windows security events are events logged by devices using the Windows OS (servers and 
endpoints, physical and virtual) and can be sent to an Azure Sentinel workspace for analysis 
and for correlation with other events in your environment. Azure Sentinel provides a built-in 
connector where you can stream Windows security events to your workspace, as shown in 
Figure 3-21. Logs collected using this data source go into the SecurityEvents table. 
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& inci 

A Akamai Security Events (Preview) 

@ Workbooks POE: 
© Huntin 


i Security Events 


Microsoft 


ii Windows Security Events (Preview) 


Microsoft 


Configuration 
Data connectors 
Analytics 


=a 
b 
By 
% 


as 


FIGURE 3-21 The built-in Security Events connector 


TIP SECURITY EVENTS CONNECTOR 


If you are using the same workspace for Azure Sentinel as Azure Security Center, you might 
already be collecting Windows security event logs if you have configured this in ASC. If this 
is the case, you don’t need to do anything in the Azure Sentinel UI, and you should already 

see the Security Events connector showing as Connected. 
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As we did with collecting Syslog and CEF events, we will be using the Log Analytics agent 
to collect Windows security events, but we will be using the Windows version (unsurprisingly!). 
Unlike Syslog/CEF collection, we won't be creating a centralized collector. When using the 
Windows version of the Log Analytics agent, each agent streams directly to the Azure Sentinel 
workspace. There is no intermediary device. In Figure 3-22, you can see how Windows systems 
stream security events to a Sentinel workspace. 


On-premises Azure cloud 


Windows systems 
y 
<— 
— 
A 


Windows security events collector 


FIGURE 3-22 Streaming Windows security events to Azure Sentinel 


NOTE LOGANALYTICS GATEWAY 


If you have Windows systems that have no Internet access in your environment, you can use 
a Log Analytics gateway to act as a forward proxy for your Windows security events. You 
can learn more about the Log Analytics gateway at https://docs.microsoft.com/en-us/azure/ 
azure-monitor/agents/gateway. 


Configuring Windows security event collection for Azure Windows 
Virtual Machines 


Folow these steps to configure the Security Events connector in Azure Sentinel for Azure 
Windows Virtual Machines: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Data Connectors, which opens the Data Connectors page. 


5. Select the Security Events Data Connector and click the Open connector Page 
button. The Security Events Data Connector | Overview page appears. 
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The shortcuts to install the Log Analytics agent on your Windows system can be found 
on the bottom-right part of the connector's page. Figure 3-23 shows the shortcuts to 
installation on the connector page. 


K Configuration 


1. Download and install the agent 


Security Events logs are collected only from Windows agents. 


Choose where to install the agent: 


A^ Install agent on Azure Windows Virtual Machine 


Download the agent on the relevant machine and follow the instructions. 


Download & install agent for Azure Windows Virtual machines > 


FIGURE 3-23 Log Analytics agent connector installation locations 


Click Download & Install Agent For Azure Windows Virtual Machines. 
On the Virtual Machines page, select the machine(s) that you want to connect. 


On the AzureWindowsServer page, click Connect. You will see the connection to your 
Sentinel workspace taking place, as shown in Figure 3-24. 


AzureWindowsServer 


Virtual machine 


Ci} Connecting... 


Status 


Connecting 


Workspace Name 


Sentinel-Workspace 


Message 


Connecting VM to Log Analytics. Please check back later for status update. 


FIGURE 3-24 Connecting an Azure virtual machine to Azure Sentinel for Windows security 
event streaming 
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Configuring Windows security event collection for non-Azure 
Windows Machines 


Follow these steps to configure the Security Events connector in Azure Sentinel for non-Azure 
Windows machines: 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Data Connectors. The Data Connectors page appears. 
Select the Security Events Data Connector and click the Open Connector button. 


The shortcuts to install the Log Analytics agent on your Windows system can be found 
on the bottom-right of the connector’s page. Figure 3-25 shows the installation short- 
cuts on the connector page. 


K Configuration 


1. Download and install the agent 


Security Events logs are collected only from Windows agents. 


Choose where to install the agent: 


w Install agent on Azure Windows Virtual Machine 
A Install agent on non-Azure Windows Machine 


Select the machine to install the agent and then click Connect. 


Download & install agent for non-Azure Windows machines > 


FIGURE 3-25 Downloading the Log Analytics agent for non-Azure Windows machines 


Click Download & Install Agent For Non-Azure Windows Machines. The Agents 
Management page appears, as shown in Figure 3-26. 


al Windows servers & Linux servers 


6 0 Windows computers connected 


Go te logs 


Download agent 


Download an agent for your oper. system, then install and configure it using the keys for your workspace ID 


You'll need the Wo 


nstall the agent 


Workspace ID 
Primary key D 


Regenerate 


Secondary key D 


Regenerate 


FIGURE 3-26 Retrieving Workspace ID and workspace keys 
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8. Make a note of your Workspace ID and workspace keys (Primary Key and Secondary 
Key) to input into the agent later. 

9. Run the installer package on your target system, and it will launch the Microsoft Moni- 
toring Agent Setup Wizard, as shown in Figure 3-27. 


a) Microsoft Monitoring Agent Setup x 


Welcome to the Microsoft 
Monitoring Agent Setup Wizard 


The installation wizard will install the Microsoft Monitoring Agent 
on your computer. To continue, dose all other programs and 
dick Next. 


FIGURE 3-27 Microsoft Monitoring Agent Setup Wizard 


10. Agree to the Microsoft software license terms and select a folder in which to install 
the agent. 


11. In Agent Setup Options, select Connect The Agent To Azure Log Analytics (OMS), 
as shown in Figure 3-28. 


5 Microsoft Monitoring Agent Setup 


Agent Setup Options 
Specify setup options for this installation of Microsoft Monitoring Agent. 


Enable local collection of IntelliTrace logs (requires .NET Framework 3.5 
or higher) 
This installs a PowerShell interface for gathering advanced application diagnostics data in 
local iTrace files. 


Ml Connect the agent to Azure Log Analytics (OMS) 


Connects the agent to the Microsoft Azure Log Analytics (OMS) service and lets you to 
choose the workspace that the agent uses to register with. For more information, see 
https: //www.microsoft.com/oms, 


E Connect the agent to System Center Operations Manager 


This connects the agent to System Center Operations Manager and lets you specify the 
management group for which this agent will participate in monitoring. 


FIGURE 3-28 Microsoft Monitoring Agent Setup 
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12. After clicking Next, you will asked to provide your Workspace ID and Workspace Key 
for your Sentinel workspace, as shown in Figure 3-29. 


E Microsoft Monitoring Agent Setup 


Azure Log Analytics 
Connect the agent to an Azure Log Analytics workspace. 


Workspace ID: | 


Workspace Key: | 


Azure Cloud: Azure Commercial v 


Your workspace ID and key are available within the Azure Log Analytics portal. The Log 
Analytics portal for Azure Commercial is at https://www.microsoft.com/oms/. 


Click Advanced to provide HTTP proxy configuration. 
Advanced 
When you dick Next, these properties will be validated by the Azure Log Analytics 


service. 


< Back Next > Cancel 


FIGURE 3-29 Adding the Workspace ID and Workspace Keys 


13. Click Next and complete the installation of the agent. 


14. Return to the Azure portal and check the Agents Management page where you should 
now see your non-Azure machine connected, as shown in Figure 3-30. 


2 sentinel-workspace | Agents management 


SE Windows servers 4 Linux servers 


© 1 Windows computers connected 
Go to logs 


FIGURE 3-30 Agents Management page 


Choosing Windows security events to stream to an Azure 
Sentinel workspace 


There are thousands of Windows Events, and it can be hard to choose which ones you need to 
ingest, so Microsoft provides preset options in the connector itself (Shown in Figure 3-31): 


m All Events 
m Common 
m Minimal 


m None 
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2. Select which events to stream 


. All events - All Windows secunty and AppLocker events 


vents for auditing purpos: 


events that might indicate potential threats. By enabling this option, you won't be able to have a full audit trail 


e None No security or AppLocker events, 


N AN AN AN 4 
(@) None (|) Minimal () Common () All Events 


FIGURE 3-31 Preset streaming options available for the Security Events connector 


MORE INFO WINDOWS SECURITY EVENTS INCLUDED IN EACH PRESET OPTION 


You can learn more about the Event IDs included in each preset streaming option at 
https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events. 


Configure custom threat intelligence connectors 


Using threat intelligence (Tl) feeds enriches the information a SIEM collects and thus enhances 
your security operations. TI feeds contain information about cyberthreats. Most typically, we 
see these expressed as indicators of compromise (IOCs). An IOC could be a known malicious IP, 
URL, hash value, and the like. If this IOC is matched to values in the data from your IT environ- 
ment, it could indicate that an attacker is (or has been) in your environment. This is why IOCs 
from threat intelligence are often used for proactive hunting. From an incident perspective, 

if an incident is raised where some entities have matches to your threat intelligence, an SOC 
might choose to raise the severity of the incident because there is a higher likelihood that 
known attackers are part of the incident. 

IOCs often have an expiration date attached to them. We know that attackers will change 
how they present their attacks frequently to avoid detection, which is why IOCs need frequent 
updating via a TI feed. TI feeds can be purchased from a vendor, but there are also open- 
source and free-to-use TI feeds available in the community. 

In Azure Sentinel, when TI feeds are connected, the IOCs from the feed will be stored in the 
ThreatIntelligenceIndicator table, and you'll be able to review them in a more user-friendly 
format on the Threat intelligence page in the Sentinel UI. You can also add IOCs manually on 
the New Indicator blade, as shown in Figure 3-32. 
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New indicator K 


Types * 
IPv4 address * 
Tags 

4+. Add 


Threat types * 


| 0 selected Vv | 


Description 


Revoked 
L 


Confidence 
O | 


Kill chains @ 


Valid from * 


| MM/DD/YYYY i 


Valid until 


MM/DD/YYYY m] 


FIGURE 3-32 Manually adding an IOC 


If you are using a threat intelligence feed, it is likely to be sent from a STIX/TAXII setup: 


m STIX (Structured Threat Information eXpression) STIX is a standardized language 
that has been developed by MITRE in a collaborative way to represent structured infor- 
mation about cyber threats. 


= TAXII (Trusted Automated eXchange of Indicator Information) TAXII is a trans- 
port vehicle for STIX-structured threat information that allows STIX information to be 
exchanged between parties. 


STIX and TAXII were created to allow easy and consistent sharing of threat information 
between individual people or organizations worldwide. 
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Azure Sentinel has a built-in threat Intelligence data connector that can be used to connect 
to TAXII servers and import IOCs into the ThreatIntelligenceIndicator table. 


TIP OLDER TAXI] VERSIONS NOT SUPPORTED 


Azure Sentinel only supports connections to the most recent versions of TAXII: 2.0 or 2.1. 


Older versions of TAXII are not supported. 


Follow these steps to configure the Threat Intelligence Connector in Azure Sentinel: 


Navigate to the Azure portal by opening https://portal.azure.com. 

In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 

Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Data Connectors. The Data Connectors page appears. 


Select the Threat intelligence (TAXII) Data Connector and click the Open Connec- 
tor button. The Threat Intelligence (TAXII) Data Connector appears, as shown in 
Figure 3-33. 


K Configuration 


Configure TAMI servers to stream STIX 2.0 or 2.1 threat indicators to Azure Sentinel 
n connect AKI (510 A ntir ng the built-in TAKI connector. For detailed configurabon instructions, see the full documentation. 


Enter the following information and select Add to configure your TAXII server. 


Add 


FIGURE 3-33 Configuring a TAXII server 


Under Configuration, complete the details required to connect your TAXII server to 
Azure Sentinel. (This is standard information and should be provided by the threat intel- 
ligence feed provider.) Click Add. 
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7. You can check which TAXII servers you have connected to your Sentinel workspace by 
scrolling down to the bottom of the Threat Intelligence Connector page and check- 
ing the List Of Configured TAXII Servers, as shown in Figure 3-34. 


List of configured TAXII servers 


E Search 


Friendly name Ty TAXII server Ty Collection ID Ty Last ing 
ThreatStream https://limo.anomali.com/api/v1/taxii2/feeds/ 135 04/22/] 


FIGURE 3-34 Checking configured TAXII servers on the Threat intelligence connector page 


8. You can view IOCs on the Threat intelligence page in the Sentinel UI, as shown in 
Figure 3-35. 


nD) Azure Sentinel | Threat intelligence (Preview) 

5 90 134 1 

14 

. An a at Pype AB ee AH a 
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FIGURE 3-35 Viewing imported IOCs on the Threat Intelligence page 


NOTE ACTIVE COLUMN 


IOCs that have expired will still appear in the ThreatIntelligenceIndicator table because of 
the immutable nature of Log Analytics and will only age out when they reach the workspace’s 
configured retention period. To combat this, the ThreatIntelligenceIndicator table has an 
Active column; when an IOC's expiry date is reached, a new entry will be added with False in 
the Active column, and it will no longer be used by Azure Sentinel for IOC matching. 


Create custom logs in Azure Log Analytics to store 
custom data 


Sometimes, it won't be possible to use any of the native methods described in the previous 
sections to connect your data source...so what then? The main method by which you can ingest 
custom logs into Azure Sentinel is to use the HTTP Data Collector API, but there are different 
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ways to interact with it—direct via the API or via Azure Logic Apps. Depending on the use case, 
volume, and type of data you need to ingest, it will likely become obvious which method is 
better to use. 


TIP INGESTING CUSTOM LOGS 


As a rule of thumb, it is best to only ingest custom logs via Azure Logic Apps for relatively 
small quantities of data, such as enrichment data. 


Custom log ingestion via the Azure Monitor HTTP Data 
Collector API 


Azure Monitor provides the HTTP Data Collector API that can ingest data from a REST API 
client. Remember, Log Analytics is part of the wider Azure Monitor platform, so don’t be put 
off by the name! Data must be sent to the HTTP Data Collector API in JSON format, and from 
there, it will be parsed into a custom table. When you submit the data, an individual record is 
created in the repository for each record in the request payload, as shown in Figure 3-36. 


HTTP request Azure Monitor 


Log-Type-MyCustomLogs MyCustomLogs_CL 


Records to be input into 


JSON-formatted data 
custom table 


I 
| 
| 
| 
| 
l Log Analytics 
|| 


: 
= 


FIGURE 3-36 Sending data to the Azure Monitor HTTP Data Collector API 


You have many options when choosing how to interact with this API; typically this would be 
via an existing REST API client or a serverless function written in Powershell, Python, C#, and so 
on. There really are no limits to how you interact and send data as long as you stick to the rules 
and formats required by the API. 


MOREINFO USING THE AZURE MONITOR HTTP DATA COLLECTOR API 


Although outside the scope of this exam, you can read more about the exact formats 
required and see some code examples at https://docs.microsoft.com/en-us/azure/azure- 
monitor/logs/data-collector-api#concepts. 


Custom log ingestion via Azure Logic Apps 


We'll be covering more about Azure Logic Apps and automation later in this chapter, but in 
this section we'll talk about how you can configure a Logic App to ingest custom data into your 
workspace. If you're unfamiliar with this product, Logic Apps provides a GUI-based interface 
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to write automation scripts called Playbooks. If you've ever used Microsoft Flow, you'll have a 
good idea of what you'll be doing in Azure Logic Apps. 


Let's walk through an example of pulling data from an external API to store in a custom 
table in Log Analytics. In my example, were going to be pulling weather data, but in real life 
security operations this is more likely to be threat intel or something else that enriches the data 
in your workspace. 
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Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 


Click Automation. The Automation page appears, as shown in Figure 3-37. 


Home Azure Sentine 


#4 Azure Sentinel | Automation 


General 


rs 
#50 Oo a8 
Q overview Automation rules Enabled rules Enabled playbooks 
P wg 
Automation rules (Preview Playbooks 
@ News & guides 
Threat management 
& incidents [C] name ty Status t4 Trigger kind t4 


Enabled @ Azure Sentinel Alert 


Ooo 


@ Entity behavior 


) | 


W Threat intelligence (Preview 


Configuration 


Ts Automation 


FIGURE 3-37 Reviewing the Automation page 


Click Create > Add New Playbook. The Create A Logic App page appears, as shown 
in Figure 3-38. 


Fill out the Subscription, Resource Group, Region, and Name of the Playbook and 
click Review + Create to validate your template. 


When your template has validated, click Create. 
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Create a logic app 


Basics Tays Review + create 


Create workflows leveraging hundreds of connectors and the visual designer, Learn more B 


Project details 


Select the subscnption ta manage deployed resources and costs. Use resource groups like folders to organize and 
manage all your resources, 


Subscription * Contoso Security Operations {v 
Resource group * Sentinel-RG wW 
Create new 


Instance details 


Logic app name * name. 


Region * Southeast Asia Vv 


Associate with integration service U 
environment © 


Integration service environment * 


Enable log analytics © U 


Log Analytics workspace * 


FIGURE 3-38 Completing the details of a Logic App 


8. Open the blank Playbook you have created. You will be given the option to choose 
from various predefined templates. This time, select Blank Logic App. The Logic Apps 
Designer page appears. 

9. We can now search for a trigger to kick-off the Playbook in the Logic App Connector 
Gallery. In Figure 3-39, you can see that we are searching for the Schedule trigger. 


For You All Built-in Standard Enterprise Custom 


HDE@SB8Ho 


Schedule Africa's Azure Data Basecamp2 Basecamp 3 Calendly Cisco Webex 
Talking Voice Factory Meetings 


TUNGGU GO 


Connect2All Dynamics Engagement Googie GoToMeeting GoToTraining GoToWebinar 
365... Cloud Calendar 


FIGURE 3-39 Searching for the Schedule trigger in the Logic App connector gallery 


Skill 3-2: Plan and implement the use of data connectors for the ingestion of datasources CHAPTER 3 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


217 


NOTE DON’T CONFUSE CONNECTORS 


Don't confuse a Sentinel data connector with a Logic App connector. They are two very 
different things! Logic App connectors are a collection of triggers and actions that you 
can add to a Playbook to make your automation flow. 


10. Select the Schedule connector and choose the Recurrence trigger. 


11. Configure how frequently you want this Playbook to run. In my example, Im going to 
configure it to run every 5 minutes, as you can see in Figure 3-40. 


(OW Recurrence 


* Frequency 


Minute 


FIGURE 3-40 Configuring the frequency of the Playbook running in the Logic App Designer 


12. For the next step in the Playbook, select HTTP Logic App Connector > HTTP Action. This 
is where we will configure the call to the external API for the custom data to be ingested. 


13. Select GET for Method and add the URI for the API, plus any other necessary parts of 
the request such as authentication, headers, and so on. You can see the completed one 
for my weather API in Figure 3-41. 


https://apLopenweathermap.org/data/2.5/weather? 


Enter key 


FIGURE 3-41 HTTP request to the external API 


14. The final step in the Playbook will be to send this data into Log Analytics. Search for and 
select the Azure Log Analytics Data Collector and then select the Send Data action. 
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15. You will be asked to complete the details of the workspace to which you want to send 
the data (see Figure 3-42). Give the connection a memorable name and provide your 
workspace ID and key. (Earlier in this chapter, we explained how to obtain these.) 


16. Click Create. 


Azure Log Analytics Data Collector 


*Connection name 


*Workspace ID 


"Workspace Key 


FIGURE 3-42 Completing the connection with the workspace 


17. As shown in Figure 3-43, you will need to provide the JSON Request Body details that 
will be received by the Playbook. This allows the Playbook to parse the data correctly 
when it is received. You will also need to specify the name of the custom table that the 
data will be sent to in the Custom Log Name field. 


Send Data (Preview) 


* JSON Request body | 


*Custom Log Name | Name of the custo 


omlogs. Change connection. 


FIGURE 3-43 Completing the JSON Request Body format and custom table names in the Playbook 


18. Click Save at the top left of the Logic App Designer page. 


19. Navigate to the Playbook’s Overview page and select Run Trigger > Recurrence to 
test your Playbook (see Figure 3-44). You will be able to see whether the Playbook ran 
successfully by looking at the bottom-right of the page. 


Home > Logic apps 
» [aj CustomLog 2 
ee 
Logic app 
Ø Search (Ctrl+/) | « > Run Trigger EJ Refresh Á 
4) Overview wi Recurrence | 
d Activity log 


FIGURE 3-44 Manually running a Playbook to test it 


Skill 3-2: Plan and implement the use of data connectors for the ingestion of datasources CHAPTER3 219 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


20. Now it's time to check to see whether our logs were received properly into our custom 
table: Navigate to the Logs page. As you can see in Figure 3-45, on the Tables tab, we 
now have an extra drop-down menu, Custom Logs. Whatever name you specified in 
the Custom Log Name will be appended with _CL. This prevents overlaps with the 
naming of built-in-in tables in Log Analytics. 


Tables Queries Functions « 


Y Filter I= Group by: Solution 


Collapse all 


Favorites 


You can add favorites by clicking on 
the # icon 


> Azure Sentinel 
> LogManagement 
4 Custom Logs 


> H TestCustomLogs_CL 


FIGURE 3-45 Custom logs listed alongside other tables on the Logs page 


Skill 3-3: Manage Azure Sentinel analytics rules 


Analytics rules are the Sentinel rules that correlate the logs that have been sent to the under- 
lying Log Analytics workspace. Analytics rules run on a periodic basis with the intention of 
correlating specific patterns of events and activities in your environment logs. If a match to the 
rule is found, an alert and/or an incident is created, which your security operations team can 
act upon. (This is covered in more detail later in this section.) 


Design and configure analytics rules 


As with the rest of the product, you'll find that Azure Sentinel has many out-of-the-box analyt- 
ics rules to start you off in your implementation. If you've worked with other SIEMs before, you 
might know them as “detection rules.” These rules have been written by Microsoft security 
experts and, while they are fully customizable to your environment, they are a great way to 
get started with your base analytics rules in your Azure Sentinel implementation. It's worth 
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reviewing the out-of-the-box templates regularly to check if there are new ones; Microsoft 
adds more on a regular basis. There are five types of analytics rules in Azure Sentinel: 


Scheduled query These queries run on a fixed schedule (every 5 minutes, every hour, 
and the like), and you can see the query logic and can make changes to it. We will dis- 
cuss how to do this later in this section. 


Microsoft security These rules automatically create incidents based on alerts from 
other Microsoft security products. These rules are a great way to get your Azure Senti- 
nel deployment up and running quickly. 


Fusion Fusion uses scalable machine learning algorithms that can correlate many 
low-fidelity alerts and events across multiple products into high-fidelity and actionable 
incidents. Fusion is enabled by default. Because the logic is hidden and therefore not 
customizable, you can only create one rule with this template. 


Machine learning (ML) behavioral analytics These templates are based on proprie- 
tary Microsoft machine learning algorithms, so you cannot see the internal logic of how 
they work and when they run. Because the logic is hidden and therefore not customiz- 
able, you can only create one rule with each template of this type. 


Anomaly These rules use SOC-ML (machine learning) to detect specific types of 
anomalous behavior. Each rule has its own unique parameters and thresholds appropri- 
ate to the behavior being analyzed, and while its configuration can't be changed or fine- 
tuned, you can duplicate the rule and change and fine-tune the duplicate. 


First, let's look at the Analytics page in the portal, which can be seen in Figures 3-46 and 3-47. 


Name of analytics rule Data sources that the rule uses 


MITRE ATT&CK 


Rule severity Type of rule tactics the rule detects 


FA] Analytics efficiency workbook Preve 


| Rules by severity 
a p 


ules Brigi H Medhum (0 Wowo inteemationst (£ 


Rule tejnplates 


Severity > All Rule Type: All Tactics: All Nata Source|, - All 


SEVERITY 7 NAME 74 RULE TYPE 7 DATA SOURCES TACTICS 


FIGURE 3-46 Navigating the Analytics page 
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We recommend that you enable all out-of-the-box templates that use data sources that you 
ingest into your workspace. It’s very easy to do: You can use the filters to filter rule templates by 
a specific data source, or you can just look at the rule template summary (see Figure 3-47) and 
look at Data Sources. 


© Modified domain federation trust settings 


High Scheduled 
Severity Rule Type 
Description 


This will alert when a user or application modifies the federation 
settings on the domain ar Update damain authentication fram 
Managed to Federated. For example, this alert will trigger when a new 
Active Directory Federated Service (ADFS) TrustedRealm object, such as 
a signing certificate, is added to the domain. Modification to domain 
federation settings should be rare. Confirm the added or modified 
target domain/URL is legitimate administrator behavior. To understand 
why an authorized user may update settings for a federated domain in 
Office 365, Azure, or Intune, see: 
https://docs.microsoft.com/office365/troubleshoot/active- 
directory/update-federated-domain-office-365. For details on security 
realms that accept security tokens, see the ADFS Proxy Protocol (MS- 
ADFSPP) specification: 
https://docs.microsoft.com/openspecs/windows_protocols/ms- 
adfspp/e7b9ea73- 1980-43 18-96a6-da559486664b. For further 
information on AuditLogs please see 
https://docs.microsoft.com/azure/active-directory/reports- 
monitoring/reference-audit-activities. 


Data sources 
Azure Active Directory 
Wr Auditlogs -- 


@ Note: 
e You haven't used this template yet; You can use it to create 
analytics rules. 


e One or more data sources used by this rule is missing. This 
might limit the functionality of the rule. 


FIGURE 3-47 Checking the rule template summary on the analytics page 


Pay attention to the color of the connector icon next to the name of the data source. If it’s 
green, then Sentinel has found that type of logs in the workspace; if it's gray, then you need 
to add that log type for the rule to work properly. Figure 3-48 shows examples of both green 
(AzureActivity) and gray (Amazon Web Services) icons, with the green icon shown first. 


Azure Activity 
>» AzureActivity 04/23/21, 07:23 PM 


Amazon Web Services 
“ir AWSCloudTrail -- 


FIGURE 3-48 Data source indicator on the rule template summary 
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NOTE RULES AND DATA SOURCES 


Azure Sentinel will not prevent you from creating rules from templates when you don't have all 


the recommended data sources in your workspace. While you can create them, remember that 


rules can't raise alerts if they don’t have all the data sources they need to correlate information! 


To activate an analytics rule template: 


Navigate to the Azure portal by ope 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 


Sentinel Workspace page appears. 


ning https://portal.azure.com. 


Select the desired workspace. The Azure Sentinel | Overview page appears. 


Click Analytics. The Analytics page appears, as shown in Figure 3-49. 


ome > Azure Sentine! Azure Sentine 
& Azure Sentinel | Analytics 
E Create C) Refresh [A] Analytics efficiency workbook (Preview 
General é 9 Rules by severity 
mm ees 
Q Overview Active rules E High (2) I Medium (3) Blow (4) Informational (0) 
#®P Logs 
ar Active rules Rule templates 
Threat management 
Seventy : All Rule Type : All Status : All 
& Incidents 
SEVERITY Te NAME ty RULE TYPE ty 
El Workbooks — 
a vein O ff Hist Advanced Multistage Attack Detection ® Fusion 
@ Notebooks n tigh own Barium IP © Scheduled 
@# Entity bel LJ edium fas: 65 Records to Excel Scheduled 
© Threat intelligence (Preview O f Medium Dynamics 365 - User Bulk Retrieval Outside Normal Acti... © Scheduled 
7 edium Jynamics Encryption Settings Changed (Y Scheduled 
Configuration 3 J 
User O Scheduled 
E Data connectors a 
LJ F Low New 5 User Agent O Scheduled 
È Analytics = 
LJ ov New Office User Agent in Dynamics 365 Scheduled 
Æ watchlist (Preview 
LJ New Dynamics 365 Admin Activity © Scheduled 
Tò Automation 


FIGURE 3-49 The Analytics page 


Select the Rule Templates tab. 


Select the rule template you want to 
summary, click Create Rule. 


activate and at the bottom of the rule template 


You will be taken to the Analytics Rule Wizard. Work your way through the tabs of 


the wizard. (These tabs are all prefilled when using a rule template.) After the validation 


check, click Create. 
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NOTE CUSTOMIZING ANALYTICS 


All the tabs in the Analytics Rule Wizard are customizable. We will cover this in more 
detail later in this chapter. 


8. You will return to the main Analytics page. Under the Active Rules tab, you should 
now see your newly created rule, as shown in Figure 3-50. 


4 2 Rules by severity 
| timed 
Active rules E High (2) I Medium (0 Blow (0) Informational (0) 


Active rules Rule templates 


Severity : All Rule Type : All Status : All Tactics ; All 
SEVERITY Ty NAME 4 RULE TYPE 14 STATUS 14 


m 
O ff High 
o 


@ Fusion 


O Scheduled Enabled 


FIGURE 3-50 Checking active rules on the Analytics page 


Create custom analytics rules to detect threats 


Although the out-of-the-box analytics rules are a great way to start off your implementation, 
they aren't optimized for a specific environment and therefore, you might want to customize 
these rules to make them more specific to your thresholds, operational procedures, and so on. 
There are many reasons for customizing query logic, but the most common reason is to reduce 
false positives (such as when a rule triggers an incident but further investigation indicates there 
wasn't a security issue). SOCs are always trying to reduce false positives and noise because it 
wastes SOC analyst time. It is common for SOCs to not have enough analysts to look at alerts as 
it is, so they certainly don’t want them looking at false positives! 


In this section, we will look at how you can customize analytics rules to optimize them. Let's 
go back to the Analytics page and the analytics rule templates: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Analytics. The Analytics page appears. 
5. Select the Rule Templates tab. 


6. Select the rule template you want to use and click Create Rule at the bottom of the rule 
template summary at the bottom-right of the page. For our example, I’m going to use 
the Failed AWS Console Logons But Success Logon To AzureAD Rule template.You 
will be taken to the Analytics Rule Wizard, as shown in Figure 3-51. 
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Home > Azure Sentine 


Analytics rule wizard - Create new rule from template 


General Set rule logic ncident settings (Preview) Automated response Review and create 


Create an analytics rule that will run on your data to detect threats. 


Analytics rule details 


Uses that list to 


at 


gons from . 


FIGURE 3-51 Customizing the General tab of an analytics rule 


On the General tab, you can customize the Name, Description, and the MITRE Tactics 
that this rule detects on, as well as the Severity of the rule. In this example, I’m plan- 
ning to change the failed login attempts in the rule's logic, so I'm going to update the 
description of the number of failed logins from 5 to 10. 


On the Set Rule Logic tab, you will see various aspects of the rule logic can be customized. 


m Rule Query The Kusto Query Language (KOL) of the query. (See the “Define 
incident creation logic” section later in this chapter for further details on this.) This is 
fully editable, and in this example, I’m going to change the variable named _ signin_ 
threshold, which can be seen in Figure 3-52. This threshold is currently set to 5 failed 
logins, but I'm going to change it to 10. What this means is that until there have been 
10 failed logins for a user in AWS followed by a successful Azure login by the same 
user, this rule will not trigger and create an alert. 


= Alert Enrichment This is where you can define entities that can be classified for 
further analysis by Azure Sentinel. 


= Query Scheduling In this section, you can configure how frequently your query 
runs and how far back in the logs the rule will look for matches (known as the /ook- 
back window). You can run queries in Azure Sentinel as frequently as every minute. 

= Threshold This allows you to define how many rule “hits” need to occur before 
an alert is raised. Generally, this can almost always be left on the default setting, Is 
Greater Than 0. 

= Event Grouping where you can configure how rule query results are grouped 
into alerts. 
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NOTE KEEP LOOKBACK SETTINGS CONSISTENT 


Lookback windows can also be configured in the rule query logic itself. Remember to keep 
the lookback window consistent between the KQL logic and the rule settings in the portal. 


Rule query 
Any time details set here will be within the scope defined below in the Query scheduling fields. 


Ay One or more entity mappings have been defined under the new version of Entity Mappings. These will not appear in the query code] 
disregarded 


//Adjust this threshold to fit environment 
let signin_threshold « 5; 
//Make t of IPs with failed AWS console logins 
let aws_fails < AWSCloudTrail 
where EventName «= “ConsoleLogin™ 
extend Loginkesult = tostring(parse json(Responsetlements} .ConsoleLogin) 


FIGURE 3-52 Customizing the KOL of an analytics rule 


9. Let's move to the Incident Settings tab, as shown in Figure 3-53. 


Incident settings 


Azure Sentinel alerts can be grouped together into an incident that should be looked into 


You can set whether the alerts that are triggered by this analytics rule should generate incidents. 


Create incidents from alerts triggered by this analytics rule 


f enabled visscies 


Alert grouping 
Set how the alerts that are triggered by this analytics rule, are grouped into incide: 


Grouping alerts into incidents provides the context you need to respond and re s the noise from single alerts. 


Group related alerts, triggered by this analytics rule, into incidents 


Disabled 
@ Upto 150 a 


and the excess alert 


rouped into a single incident. If more than 150 alerts are generated, a new incident will be cred 


be grouped into the new incident. 


Limit the group to alerts created within the selected time frame * 
5 Hours 
Group alerts triggered by this analytics rule into a single incident by 


(©) Grouping alerts into a single incident if all the entities match (recommended) 


© Grouping all alerts tnagered 


y this rule into a single incident 


© Grouping alerts into a single incident if the selected entities match 


Ay Entity-based alert grouping can make use only of entities mapped using the new ve! 
Entites mapped with the old version (that appear in the query code) will be availal 


nif any exist 
cuping only if there are no rf 


Re-open closed matching incidents 


enabled Disabled |) 


FIGURE 3-53 Customizing the incident settings of an analytics rule 


10. The Incident Settings tab has many options that can be customized, and how these 
are configured is largely going to come down to the individual SOC and operational 
processes in an organization: 

m Incident Settings Here, you can enable/disable whether an incident in Azure 
Sentinel is triggered by an analytics rule. Often, people will say: “Of course | need an 
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incident triggered from an analytics rule. That's the whole point of the rules!” How- 
ever, sometimes an alert is sufficient enough for an SOC to take note, but there is 
no need for a full-scale incident. A Playbook can be run on an alert, and automation 
might be able to take care of the actions that need to take place without having any 
human intervention. (More on that later in this chapter.) The SOC might decide that 
an incident is triggered only when a collection or threshold of multiple alerts occur. 
Again, the aim here is to maximize the efficiency of the SOC and to ensure that SOC 
analysts spend their time on the right events that haven't been seen before and that 
require human intervention. 


= Alert Grouping If you've worked in security operations (or any other kind of moni- 
toring, for that matter), you'll likely have seen when a single event raises multiple 
incidents, overwhelming the analysts and your monitoring panel. Alert grouping 
can prevent this in an SOC by telling Azure Sentinel to group identical alerts into the 
same incident in a specified timeframe and thereby reducing noise. 


m Re-open closed matching incidents As the name suggests, this setting will allow 
Azure Sentinel to re-open a closed incident if an alert matching the alert grouping 
configured on the rule matches. 


11. The Automated Response tab is where either automation rules or Playbooks can be 


12. 


attached to a rule. We discuss this in more detail later in this chapter. 


After the validation check, click Create. You will return to the main Analytics page. On 
the Active Rules tab, you should now see your newly created rule. 


Activate Microsoft security analytics rules 


Microsoft security services perform in-depth analysis of the logs they process and generate 
high-fidelity alerts. The services in this suite are: 


Microsoft Cloud App Security (MCAS) 
Azure Defender 

Azure Defender for loT 

Microsoft Defender for Endpoint 
Microsoft Defender for Identity 
Microsoft Defender for Office 365 


Azure Active Directory Identity Protection 


As we learned earlier in this section, these products’ alerts can be connected to Azure Sen- 
tinel using built-in data connectors. Instead of performing further analysis on these alerts, as 
they have already had a significant amount of analysis done in the service, you might want to 
create an Azure Sentinel incident right away. This can be achieved quickly and simply by using 
Microsoft security analytics rules. 
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NOTE MICROSOFT SECURITY SERVICE ALERT CONNECTOR 


If you have connected the Microsoft security service alert connector to your workspace, 
you will still find the alerts from that service in the SecurityAlerts table. Microsoft security 
analytics rules are a method to quickly raise incidents from those alerts as soon as they are 
received into the workspace. 


Let's learn how to activate these rules: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel Overview page appears. 
4. Click Analytics. The Analytics page appears. 


5. Click Create and select Microsoft Incident Creation Rule, as displayed in Figure 3-54. 


T Create v 
Scheduled query rule 


Microsoft incident creation rule h 


FIGURE 3-54 Creating a Microsoft security analytics rule 


6. The Microsoft Incident Creation Rule Wizard appears, as shown in Figure 3-55. 


Create an analytics rule that creates incidents based on alerts generated in another Microsoft security service, 


Analytics rule details 


Description 


Analytics rule logic 


Microsoft security service * 


include specific alerts 


Only create incidents from alerts that contain the following text in the alert name 


+ Add 


Exclude specific alerts 


at do not contain the following text in the alert name 


-F Add 


FIGURE 3-55 Configuring a Microsoft security analytics rule in the Analytics Rule Wizard 
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7. 


The wizard has several fields that need completing, but you will notice that it has far 
fewer configurables than a scheduled query rule: 


= Name The name of the rule. 
= Description The description of the rule. 


m Status Set to Enabled or Disabled. 


= Microsoft Security Service This is where you select the type of Microsoft security 
service alerts that the rule will listen for. You must have one rule per Microsoft secu- 


rity service; they cannot be combined into one. 


m Filter By Severity You can choose to only create incidents for alerts of a certain 
severity. For example, you might only choose to create incidents for high- and 
medium-severity alerts using the rule. 


= Include/Exclude Specific Alerts This is where you can explicitly include or ex- 


clude certain alerts. This can be useful if a security service generates a noisy alert that 


does not require an incident to be raised. 


TIP INCLUDE/EXCLUDE SPECIFIC ALERTS FEATURE 


Be careful when using the Include/Exclude Specific Alerts feature. While this is an effec- 
tive way to reduce noise coming from your environment, it means that every instance of 
the alert specified will not raise an incident, so it is important to be sure that by using this 


feature, you won't inadvertently miss a real incident. 


The Automated Response tab is where either automation rules or Playbooks can be 
attached to a rule. We will cover this in more detail later in this chapter. 


After the validation check, click Create. 


You will return to the main Analytics page. On the Active Rules tab, you should now 
see your newly created rule. 


Configure connector-provided scheduled queries 


We do often seem to start a section with a statement like this, but once again, l'Il be referring 


to Azure Sentinel's out-of-the-box capabilities and how Microsoft makes it straightforward to 


configure relevant analytics rules. Earlier in the chapter, we already looked at the data source 


connector page and analytics rule templates, and in this section, we'll again be looking at these 


parts of Azure Sentinel. 
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If you open a Data Connector page, you can see the instructions that tell you how to con- 
nect that data source to the workspace. You might have noticed the Next Steps tab, which 
contains links to workbook templates, query samples, and Relevant Analytics Templates 
(see Figure 3-56). 


seventy T3 NAME Tg RULE TYPE Ty DATA SOURCES 


NENI | 2 


CREATE RULE 


FIGURE 3-56 Relevant Analytic Templates 


Here, you can click Create Rule, and you will be taken to the Analytics Rule Wizard— 
Create New Rule From Template page. From there, you can create and customize this rule. 
(We walked through using this wizard earlier in this chapter in “Create custom analytics rules 
to detect threats.”) 


TIP IN USE 


When checking relevant analytic rule templates, rules that have already been deployed will 
be marked with IN USE (see Figure 3-56). 


Although this isn't showcasing functionality that can't be found elsewhere in Azure Senti- 
nel—especially on the Analytics page—it is strongly recommended that you activate all rule 
templates that use the data sources you are choosing to connect to your workspace, so having 
another method to verify this has been done correctly is never a bad thing! 


Configure custom scheduled queries 


Earlier in this skill, we discussed how to customize analytics rule templates. Now let's discuss 
how to create a custom scheduled query from scratch. If you've been following along using 
Azure Sentinel and testing out the steps earlier in this section, you've probably got a good idea 
what's coming in this section. We'll be using the Analytics Rule Wizard on the Analytics page 
to create our brand-new rule. This time—rather than deploying or amending an existing rule 
template—we will be completing the entire rule ourselves. 


So why do we need these rules? Aren't the rule templates enough to cover most likely 
security events? Although the analytics rule templates are written by experts and cover a wide 
range of scenarios, it is likely that a large, complex IT environment will need to have custom 
analytics rules for detections that are very specific to that environment or that are for data 
sources that don't have any rule templates. 
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Let'sstep through creating an analytics rule from scratch: 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel Overview page appears. 
Click Analytics. The Analytics page appears. 


Click Create > Scheduled Query Rule. The Analytics Rule Wizard—Create page 
New Rule page appears, as shown in Figure 3-57. 


Analytics rule wizard - Create new rule 


General Set rule logic neident settings (Preview) Automated response Review and create 


Create an analytics rule that will run on your data to detect threats 
Analytics rule details 


Description 


FIGURE 3-57 A blank analytics rule wizard to create a new analytics rule 


The wizard is the same as the Analytics Rule Wizard used for templates, except this time, 
it is completely blank for you to fill in as you please. 


We covered the different fields and how to complete them in the wizard in the “Create 
custom analytics rules to detect threats” section, earlier in this chapter. 


After the validation check, click Create. 


You will return to the main Analytics page. On the Active Rules tab, you should now 
see your newly created rule. 


Define incident creation logic 


For the final part of this section, we're going to address how to create incident creation logic, 
which is something we've skipped over to leave for the grand finale of this section. It's impor- 
tant to remember that although the exam outline (and hence, the title of this section) calls for 
learning how to define incident creation logic, what were going to discuss in this section is the 
use of the KQL query language, which is used to define queries, events, alerts, and incidents. 
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Kusto Query Language (KOL) 

Kusto Query Language (KOL) is a query language used in several Microsoft products, so if 
you're learning about Microsoft security services, then it’s worthwhile investing some time to 
become familiar with the language. A not-so-well-known fact is that Kusto Query Language is 
named after Jacques Cousteau, the famous underwater explorer. KQL is a high-level language 
(meaning that it is closer to human language), but it has the flexibility and power to perform 
complex queries. Although not identical, if you've spent time using SQL, then learning KOL 
should be a straightforward task. 


KQL is a complex language with many operators, so in this section, we will cover the basics 
of KQL and some of the operators commonly used to form incident creation logic. 


EXAM TIP 

For the SC-200 exam, make sure that you are comfortable reading KQL queries that typically 
might be found in an Azure Sentinel analytics rule. Aside from this study guide, study the 
rule templates in Azure Sentinel as examples of real-life incident/alert creation logic, and 
make sure you understand the KQL in them. 


Let's start with the basics. In KOL, you must define the table that you are searching in. In this 
example, l'm searching the OfficeActivity table (shown in Table 3-1) for Exchange workloads. 
The where operator is used to filter the table to a subset of rows. In this case, that means any 
rows that have Exchange in the Officeworkload column. 


OfficeActivity 
| where OfficeWorkload == "Exchange" 


NOTE KQLSPACING 


We have spaced-out the KQL to make it easier to read, but you can put KQL on one line with 
correct spacing and syntax. 


A very commonly used operator (and one of my personal favorites) is take. This operator 
returns the number of rows you specify: 


OfficeActivity 
| take 10 


In this case, the query would return 10 rows from the OfficeActivity table. This operator is 
especially useful for testing queries when you're not sure how many results it might bring back. 
Also, it’s helpful for looking at the structure and a few examples of rows from the specified table. 


NOTE GUARANTEEING A SORT ORDER 


When only the take operator is used by itself, the rows that are returned aren't guaranteed 
to be the same each time the query is run. You can only guarantee the sort by using the take 
operator in conjunction with a sort by operator, which is covered next. 
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Sort is a powerful operator that does exactly as the name suggests: It sorts rows of the table 
by one or more specified columns in ascending or descending order: 


Of ficeActivity 


| sort by OfficeWorkload, UserId asc 


In this example, we're sorting the OfficeActivity table (see Table 3-1) in ascending order by 
the OfficeWorkload and UserId columns. A close relative of this operator is top, which will return 
the top values after the sort (for example, the top 10 or top 100). This can be very useful for 
making queries more efficient if you don’t require the entire contents of the table to be sorted, 
which is often the case in security queries. Often, searches will be looking for things such as the 
top number of failed logins in an environment and the users associated with them. 


TABLE 3-1 OfficeActivity table 


KQL Operator | Description 


Where Filters on a specific 
predicate 


Take Returns the specified 


number of records 


Sorts rows of the table 
by one or more specified 
columns in ascending or 
descending order 


Sort 


Returns the first N rows 
of the dataset when the 
dataset is sorted using a 
column or expression 


Top 


Counts the number of 
records in the specified 
table 


Count 


Summarize Groups the rows ac- 

cording to the by group 
columns, and calculates 
aggregations over each 


group 


Extend Creates additional, calcu- 
lated columns and adds 


them into the table 


Selects the columns to 
include in the query re- 
sult in the order specified 


Project 


Creates a variable that 
can be referenced in 
queries 


Let 


Syntax 


T | where Predicate 


T | take NumberOfRows 


T | sort by expression 
[asc|desc], expression2 
[asc|desc], ... 


T | top numberOfRows by 
expression [asc|desc] [nulls 
first|last] 


T | count 


T | summarize Aggregation 
[by Group Expression] 
Aggregation functions: 
count(), sum(), avg(), min(), 
max() 


T | extend [ColumnName ] 


T | extend [ColumnName] 


let Name = ScalarExpression | 
TabularExpression 
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Example query 


OfficeActivity 
| where OfficeWorkload == 
“Exchange” 


OfficeActivity 
| take 10 


OfficeActivity 
| sort by OfficeWorkload, 
UserId asc 


OfficeActivity 
| top 10 by OfficeWorkload 
asc 


OfficeActivity 
| count 


OfficeActivity 

| where OfficeWorkload == 
“Exchange” 

| summarize count(UserId) 


OfficeActivity 

| where OfficeWorkload == 
“Exchange” 

| project Operation, 
UserType, UserId 


let threshold = 10 
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NOTE QUERIES DON’T CHANGE UNDERLYING DATA 


All extra columns and tables created when queries run are ephemeral and exist only for the 
duration of the query. They are not stored in the underlying workspace. Remember that Log 
Analytics is immutable and thus, queries cannot change the underlying data. 


Let's break down one of the query templates to better understand how KOL works in prac- 
tice. In Figure 3-58, the Failed AWS Console Logons But Success Logon To AzureAD rule is 


shown. 
Comments on the query (not to be Parsing the embedded JSON to make 
considered as part of the query) it searchable for IP addresses 
//Adjust this threshold to fit environment 
[| let signin_threshold = 5; 
Defining variables | | //Make a list of IPs with failed AWS console logins 
= let aws_fails = AWSCloudTrail 
| where EventName == "ConsoleLogin" 
| extend LoginResult = tostring(parse_json(Responsetlements).ConsoleLogin) 
| where LoginKesult != "Success" 
Removing local logins —— | where SourcelpAddress != "127.0.0.1" 
| summarize count() by SourcelpAddress 
| where count_> signin_threshold Making a list of IP addresses over 
| summarize make_list(SourcelpAddress); ————— the failed login threshold 
//See if any of those IPs have sucessfully logged into Azure AD 
Searching Azure AD logs — SigninLogs 
| where ResultType lin ("0", "50125", "50140") Filtering out unsucessful logins 
Filtering based on the — | where IPAddress in (aws_fails in Azure AD 
IP addresses over the | extend Reason = "Multiple failed AWS Console logins from IP address" 
failed login threshold | extend timestamp = TimeGenerated, AccountCustomEntity = 
UserPrincipalName, IPCustomEntity = IPAddress 


Creating new columns of accounts and IP 
addresses that will be the final query result 


FIGURE 3-58 Breaking down the Failed AWS Console Logons But Success Logon To AzureAD analytics rule 
The KQL in the rule is shown in Listing 3-1. 


Listing 3-1 Failed AWS Console Logons But Success Login to AzureAD 


//Adjust this threshold to fit environment 

let signin_threshold = 5; 

//Make a list of IPs with failed AWS console logins 
let aws_fails = AWSCloudTrail 


| where EventName == "ConsoleLogin" 
extend LoginResult = tostring(parse_json(ResponseElements) .ConsoleLogin) 
where LoginResult != "Success" 
where SourceIpAddress != "127:0:0:1" 


where count_ > signin_threshold 


| 

| 

| 

| summarize count() by SourceIpAddress 
| 

| summarize make_list(SourceIpAddress) ; 
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//See if any of those IPs have sucessfully logged into Azure AD. 

SigninLogs 

| where ResultType !in ("0", "50125", "50140") 

| where IPAddress in (aws_fails) 

| extend Reason = "Multiple failed AWS Console logins from IP address" 

| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, 
IPCustomEntity = IPAddress 


Let's break this rule down step-by-step: 


11. 


The signin threshold variable is declared as 5 and is named signin_threshold. 


A second variable is declared as aws_fails, but this variable is a list of IP addresses, 
so there are more lines of KQL to filter out these IP addresses. 


Note that comments can be added to the query and prepended with // and they 
will be ignored by the query parser. 


To find a list of IP addresses from AWS Cloudtrail, the query first searches for 
ConsoleLogin events. 


A new column is created using the extend operator called LoginResult. As part of the 
creation of this column, the query is using the parse_json operator is used to parse the 
embedded JSON in the ResponseElements column, so the query can search for records 
that do not contain Success. 


Local logins are removed (127.0.0.1). 
The number of unsuccessful logins are summarized by the SourceIpAddress column. 


A list is created of any IP addresses that have been counted by the query as having more 
than the threshold (5) unsuccessful login attempts. 


This list of IP addresses is now our aws_fails variable. 


Moving to the second part of the query, it searches Azure AD logs to see if there have 
been any successful logins to Azure from the list of IP addresses we made in the first 
part of the query. 


Finally, any matching results will be presented in a user-friendly manner and mapped 
to entities using the extend operator and custom entities. 


TIP UNCODER.IO 


If you're trying to translate rules from another SIEM to KOL, uncoder.io is a great free tool to 
use (see https://uncoder.io/). It provides rule “translations” from other SIEM languages and 
is a great way to pick up KQL if you have previously worked on other SIEMs. 
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Skill 3-4: Configure Security Orchestration, 
Automation, and Response (SOAR) in Azure Sentinel 


Security orchestration, automation, and response (SOAR) is a powerful tool that can help 
streamline security operations and is sometimes overlooked in the content of Azure Sentinel. 
People forget that Azure Sentinel is both a SIEM and a SOAR product. In the past, SIEM and 
SOAR products were separate, had to be purchased separately, and might have not come from 
the same vendor. In this section, we'll learn about how to work with the SOAR capabilities in 
Azure Sentinel. 


Create Azure Sentinel Playbooks 


If you've used other Azure products, you might already be familiar with Azure Logic Apps, 
which is the main “engine” that drives automation in Azure Sentinel. Azure Logic Apps is a GUI- 
based tool that can create complicated automation Playbooks with little-to-no programming 
and coding knowledge required. This is great for SOC analysts and SOC engineers who might 
have little previous knowledge of how to make automation scripts. If you've used Microsoft 
Flow before, you'll also have a good idea of what to expect when it comes to creating automa- 
tion in Azure Sentinel. 


Before we go any further, let's have a terminology check to clarify our understanding: 


= Azure Logic Apps This is the name of the Azure service that provides automation 
throughout the Azure cloud, including for Azure Sentinel. Because Azure Logic Apps is 
a separate service to Azure Sentinel, it requires separate permissions for a user to create 
and run Playbooks (which are discussed earlier in the chapter). 


m Playbook A Playbook is a collection of automated actions in a workflow. 


= Logic App connector This is not the same as an Azure Sentinel data connector. Instead, 
a Logic App Connector is a predefined trigger or action that can be added into a Play- 
book. At the time this book was written, there were more than 300 Logic App connectors. 


MOREINFO LOGIC APP CONNECTOR LIST 


You can look at the full current list of Logic App connectors here: https://docs.microsoft. 
com/en-us/connectors/connector-reference/connector-reference-logicapps-connectors. 


There are three main scenarios for which automation is used in Azure Sentinel: 


= Alerting This is the most used type of automation and the most straightforward to con- 
figure. When an incident or alert is triggered, Playbooks can be configured to send emails, 
Teams messages, and the like to alert the on-call team that an incident has been raised. 


= Remediation This is where automation takes remedial action in the IT environment to 
contain or even stop a security incident. Examples here could be isolating a virtual ma- 
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chine that has an Azure Defender alert raised against it, blocking the account of a user 
in Azure AD when their activity indicates the account has been compromised, or taking 
a malicious IP address from an incident in Azure Sentinel and writing a block rule back 
to the firewall to stop traffic from that IP address. 


TIP ALERTING AND REMEDIATION 


Although they can be configured independently of each other, alerting and remediation 
can—and usually should be—contained in one Playbook. 


m Enrichment This is where supplementary data is used to “enrich” raw logs and results. 
This can be done as an alert, when an incident is triggered, or during an investigation. 
For example, after an incident has been raised, a SOC analyst could run an enrichment 
Playbook to check if the IP address entities in the incident match third-party threat intel 
feeds (for example, VirusTotal). 


Let's look at how to create a simple email alert Playbook in Azure Sentinel: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 


4. Click Automation. The Automation page appears, as shown in Figure 3-59. 


Home Azure Sentine Azure Se 
#4 Azure Sentinel | Automation 
pa 


General 


1 
0 Oo “8 

@ overview Automation rules Enabled rules Enabled playbooks 
P tog 

Automation rules (Preview) Playbooks 
áb News & guides padan 
Threat management 
& incidents [_] Name t4 Status Ty Trigger kind Ty 


O bled @ Are Sentinel Alert 
E Notebooks m 
@ Entity behav 
©) Threat intelligence (Preview 


Configuration 


TS Automation 


FIGURE 3-59 Reviewing the Automation page 
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5. Click Create > Add New Playbook. The Create A Logic App page appears, as shown 
in Figure 3-60. 


Create a logic app 


Basics Tags Review + create 


Create workflows leveraging hundreds of connectors and the visual designer. Learn more [3 


Project details 


Subscnption * 


Resoutce group * v 


Instance details 


Logic app name * 


Region * Southeast Asia paal 


ntegration service environment * 


Enable kog analytics @ || 


og Analytics workspace * 


FIGURE 3-60 Completing the details of a Logic App 


6. Fill out the Subscription, Resource Group, Region, and Name of the Playbook and 
click Review + Create, as shown previously in Figure 3-60. 


7. When your template has validated, click Create. 


8. Open the blank Playbook you have created; you will be given the option to choose from 
various predefined templates. This time, we will select Blank Logic App. The Logic Apps 
Designer page appears. 


9. We can now search for a trigger to kick-off the Playbook in the Logic App Connector 
gallery. In Figure 3-61, you can see that we are searching for an Azure Sentinel trigger. 


Triggers Actions 


9 When a response to an Azure Sentinel alert is triggered (preview) = 
Azure Sentinel Q 


Azure Sentinel 


g When Azure Sentinel incident creation rule was triggered (preview) 


FIGURE 3-61 Searching for an Azure Sentinel trigger in the Logic App Connector gallery 
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10. Select the When A Response To An Azure Sentinel Alert Is Triggered trigger. 

11. Sign in to create a connection to your Azure Sentinel workspace from the Playbook, as 
shown in Figure 3-62. You can also use a service principal or managed identity if you 
would prefer. 


Tenant | Default Directory 


Sign in to create a connection to Azure Sentine! 


Connect with service principal © Connect with managed identity (preview) © 


+ New step 


FIGURE 3-62 Signing in to Azure Sentinel from the Logic App designer 


12. For the next step in the Playbook, Im going to select the Outlook.com connector and 
under Actions, | will choose Send An Email (V2). This is where we will configure the 
email to be sent when an alert is raised in Azure Sentinel (see Figure 3-63). 


When a response to an Azure Sentinel alert is triggered (Preview) 


a Outlook.com x 


Triggers Actions 


Move email za B 
Outlook.com Ma 
E Reply to email (V3) p 
SB Outlook.com © 
Respond to an event invite f 
Outlookcom 0, 


Send an email (V?) a 
Outlook.com z 


Send approval email zia: 
Outiookcom s 


FIGURE 3-63 Selecting the send email action in the Logic Apps designer 
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NOTE EMAIL CONNECTORS 


In this example, | have chosen Outlook.com because this is where the email account that 
lam using resides. As is the case with other types of Logic App connectors, there are 
multiple email connectors, such as Outlook 365 and Gmail. Choose the right connector 
for your needs! 


Sign in to the Outlook account; the connector will allow you to configure the email that 
will be sent when the Playbook is triggered. Add the address(es) to which you want 

the email to be sent, the title of the email, and the body of the email. There are other 
optional parameters that you can choose to configure at this point. It is possible to add 
dynamic content from the alert, such as the name of the alert, the severity, a descrip- 
tion, and so on that will be populated dynamically from the alert when the Playbook is 
triggered. This helps give SOC analysts a better idea of what is happening in the initial 
notification, as shown in Figure 3-64. 


When a response to an Azure Sentinel alert is triggered (Preview) 


a Send an email (V2) 


| SOCalert@contoso.com 


* Subject | New Sentinel alert 
“Body Font YRYBIUSEE E 
Attention! A new alert has been raised from Azure Sentinel 


Name: ®©] Alert display name x 
Severity: Ke] Severity x 


9 Description x 


Connected to Outlook.com. Change connection 


FIGURE 3-64 Configuring the details of the email to be sent when an alert is triggered 


13. Click Save at the top-left of the Logic App Designer page. 
14. Navigate to the Overview page of the Playbook. 


15. Select Run Trigger > Run to test-run your Playbook, as shown in Figure 3-65. Look to 


the bottom-right of the page to see whether the Playbook ran successfully. 
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= Microsoft Azure P Search resources, services, anc 


Home > Microsoft Sentinel > 


A SOC-Email-Alert 2 


Logic app 
| © Search (Ctri+/) | « [> Runtrigger v ©) Refresh Z Edit Ë Delete © 
a 5 R 
ga Overview il Introducing the new portable Logic Apps runtime that supports: 
E Activity log 


A Essentials 


Fg Access control (IAM) 
Resource group (move) : Sentinel-RG 


T . 
ot Location : Southeast Asia 
Diagnose and solve problems Subscription (move) : Contoso Security Operations 


Development Tools Subscription ID 


sls Logic app designer Get started Runs history Trigger history Metrics 


</> Logic app code view | All v |[ st 


FIGURE 3-65 Manually running a Playbook to test it 


Arguably, the most attractive aspect of a SOAR capability is the automation aspect. Rather 
than relying on a human resource to take actions, automation can do things quicker and more 
reliably. We already touched on this during the analytics rule section of this chapter, but let's 
dive into how to configure analytics rules and incidents to trigger Playbooks. 

Why do we want to attach Playbooks to an analytics rule? Quite simply, this is the quickest and 
easiest way to alert and/or respond to a threat that Microsoft Sentinel detects. By attaching a 
Playbook to an analytics rule, when that rule is triggered, the Playbook will automatically run and 
take the specified actions. Even before an SOC analyst goes to look at the incident or alert, the 
Playbook could have taken remedial action. Some SOCs who have a mature automation capabil- 
ity can use automation to entirely resolve incidents without human intervention. Microsoft's own 
SOC tries to do this where possible. Of course, there will be incidents or attacks that have never 
been seen before and cannot be automated away, but this means that SOC analysts can be more 
efficient in the time they spend on investigations rather than repetitive tasks. 

In this section, we will look at how you can customize analytics rules to optimize them. Let's 
go back to the Analytics page and the analytics rule templates: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Microsoft Sentinel. The 
Microsoft Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Microsoft Sentinel | Overview page appears. 
4. Click Analytics. The Analytics page appears. 


5. Select the rule you want to attach a Playbook to and click Edit at the bottom of the rule 
template summary. 
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6. You will be taken to the Analytics Rule Wizard. Select the Automated Response tab. 


7. Under Alert Automation, you can select Playbooks that are configured to run when 
the rule is triggered (see Figure 3-66). 


Alert automation 


Select a playbook to run when a new alert is generated from this analytics rule. The playbook will receive 4 
with the alert trigger can be selected. 


| 0 selected PAS 


[_] select al 


|| CustomLogTest1 


[|] [S] SOC-Email-Alert 


FIGURE 3-66 Attaching a Playbook to an analytics rule 


8. On the Review And Create tab, click Save after the validation check. 


NOTE ONLY ENABLED PLAYBOOKS APPEAR 


Only Playbooks that are enabled will show in the drop-down menu to be attached to an 
analytics rule. 


Use Playbooks to remediate threats 


As we discussed earlier in this section, one of the most powerful aspects of a SOAR capability is 
the ability to remediate threats automatically. Even with the best and smartest SOC analysts in 
the world, they will never be able to respond as quickly or efficiently to an incident as auto- 
mation can, which means automation can reduce the potential impact of an incident. Using 
Playbooks to remediate threats also frees up SOC analysts’ time to concentrate on incidents 
that haven't been seen before, cannot be remediated automatically, and therefore need hu- 
man intervention. 


Although this is not an exhaustive list, here are some examples of the kind of security 
incident remediation that are possible using Azure Logic Apps: 
m Blocking a user account in Azure AD to prevent an account that might have been 
compromised from being able to access resources in the IT environment 
= Writing a rule to a firewall to block an IP address from which malicious traffic is 
being sent 


m Isolating a virtual machine in Azure that might have been compromised to prevent 
further lateral movement 
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m Taking a snapshot of an Azure virtual machine for evidence gathering purposes when 
the machine exhibits suspicious activity 


= Blocking a malicious IP address on an on-premises Exchange server to prevent further 
access to the server from that specific address if suspicious traffic and/or activity has 
been seen originating from there 


It can be challenging to decide what remediation action might be appropriate—especially 
if automated remediation is something that hasn't been part of your security operations previ- 
ously—so it’s important to take a step back and work out your use cases. Consider your most- 
raised security incidents and any repetitive tasks that SOC analysts undertake to resolve those 
incidents. Could these be automated? Are there some actions that you'd always like to take no 
matter what the incident is? What automation an organization chooses to take can vary widely. 
For example, a highly risk averse organization might choose to immediately block any Azure 
AD user accounts that exhibit suspicious activity, but this will put an additional burden on the 
service desk, which will have to re-enable accounts, posibly reducing productivity. There is also 
the risk of an account being blocked as a false positive because no SIEM can get things right 
100 percent of the time. 


EXAM TIP 


If you're stuck for remediation Playbook ideas, check out the Azure Sentinel GitHub 

repo for Playbooks. It has many free examples of Playbooks that have been made by the 
community and are templatized so you can easily deploy them in several clicks. Before your 
SC-200 exam, make sure you have deployed a few of these Playbook templates to your own 
demo environment and that are familiar with how they can be constructed. See 
https://github.com/Azure/Azure-Sentinel/tree/master/playbooks. 


Use Playbooks to manage incidents 


In this chapter, it’s already been mentioned several times that even the best and most efficient 
SOC analysts don’t always have enough time to fully investigate every alert and incident that 
comes into an SOC. SOC analysts commonly undertake repetitive, time-consuming tasks to 
close incidents, change statuses, assign out incidents to on-shift analysts, and so on. 


Aside from remediation, Azure Sentinel’s SOAR capabilities can help to reduce the adminis- 
trative overhead of dealing with incidents. In this section, we'll detail some examples—not an 
exhaustive list—of how overhead on incident management can be reduced using automation: 


= Automatically assigning incidents to on-shift analysts Using the shifts feature 
in Teams, a Playbook can be used to decide which analyst is on-shift and available and 
automatically assign that ticket to that analyst. The Playbook can also send a notification 
to that analyst to let them know an incident has been assigned to them using a messag- 
ing system, email, and the like. 
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= Automatically assigning incidents to an entityowner Similar to the previous 
example, a Playbook can be used to look up the owner of an entity (for example, a host) 
that is involved in an incident and assign the incident for them to investigate. As in the 
previous example, the Playbook can also send a notification to the asset owner to let them 
know an incident has been assigned to them using a messaging system, email, and so on. 


= Creating a ticket in a third-party ticketing system Many organizations utilize SaaS 
ticketing systems to manage their IT operations and can draw statistics and reporting 
from that system about the number of incidents, time to resolve, and so on. Although 
the incident system in Azure Sentinel is robust, it might make more sense for incidents 
to be managed in a third-party system (such as ServiceNow) to align with the wider 
organization's IT operations and reporting. A Playbook can be used to create a ticket 
in a third-party system when an incident is triggered and populate all the details of the 
incident in that third-party system. This saves SOC analysts’ time and effort copying and 
pasting the details across from one system to another. 


= Syncing third-party incident system updates with Azure Sentinel incidents 
Related to the previous example, if a third-party system is being used to track and 
manage incidents, a Playbook can be used to sync the information between Azure 
Sentinel and the third-party ticketing system, so there is no time-consuming copying 
and pasting between two systems (Copying and pasting between systems is not a good 
use of SOC analyst time!) 

= Enrich incident details from third-party systems When an incident is raised, a 
Playbook can be used to enrich the details of the entities involved in an incident and 
post a comment to give the analyst additional context. This saves the SOC analyst time 
and effort to log in to another portal or system to look up these details manually. Typi- 
cal examples of enrichment include looking up the asset owner of a host or checking if 
an IP address matches any threat intelligence feeds (such as VirusTotal). 

= Add auser/host/IP address to a Watchlist A Playbook can take entities from an in- 
cident and add them into a watchlist so that they can be flagged in other analytics rules 
that refer to the watchlist. This saves an SOC analyst from having to do this manually. 


Use Playbooks across Microsoft Defender solutions 


If you're using other Microsoft Defender solutions, using Playbooks is an ideal way to create 

a conjoined response to security events and incidents across your Microsoft product suite. As 
one would expect, Azure Logic Apps provides many ways to do this with Logic App connectors. 
As a reminder, when we're discussing Microsoft Defender solutions, we're talking about: 


m Azure Defender 

m Azure Defender for loT 

m Microsoft Defender for Endpoint 
= Microsoft Defender for Identity 

= Microsoft Defender for Office 365 
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As you can see in Figure 3-67, when you search for defender in the Logic Apps designer, 
there are already many built-in triggers and actions that you can select from. 


Eg Choose an operation 


qaers Actions 


Actions - Collect investigation package 


Oo Actions - Get investigation package download URI 
e near 


FIGURE 3-67 Searching for Microsoft Defender triggers and actions 


Let's look through an example to demonstrate how simple this can be. Rather than start- 
ing from scratch, as we have done earlier in this section, I'm going to use a template from the 
Azure Sentinel GitHub repo: 


1. Navigate to the Azure Sentinel GitHub repo page by opening https://github.com/ 
Azure/Azure-Sentinel. 


2. Click playbooks to be taken to the Playbooks section of the repo. 


3. Select the Playbook that you want to deploy. For this example, I'll be selecting Isolate- 
MDATPMachine, as seen in Figure 3-68. 


FIGURE 3-68 Selecting a Playbook template to deploy in the Azure Sentinel GitHub repo 
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4. 


5. 


Click Deploy To Azure, and you will be taken to the Azure portal and the Custom 
Deployment Template. 


NOTE ARM TEMPLATES 


Playbook templates from the Azure Sentinel GitHub repo are all Azure Resource 
Manager (ARM) templates. You can read more about ARM templates at https://docs. 
microsoft.com/en-us/azure/azure-resource-manager/templates/. 


As shown in Figure 3-69, you need to complete the parameters of the Playbook 
template so that it can be deployed. The exact parameters each template will ask for 
will depend on the Playbook contents, but you will always be asked for Subscription, 
Resource Group, Region, and Playbook Name. 


Custom deployment 


Deploy from a custom template 


Basics Review + create 


Template 


Customized template L3 
=: 3 resources A 4 


Edit template Edit parameters 


Project details 


Select the subscription lo manage deployed resuurces and cusls. Use resource groups like folders lu organize and 
manage all your resources. 


Subscription * © | Contoso Security Operations Vv 
Resource group * CG Sentine! Vv 
Create new 


Instance details 


Region* © 
Playbook Name | Isolate-MDATPMachine 
User Name | <username> @<domain> 


FIGURE 3-69 Entering parameters into a Playbook template for deployment 
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6. Let the validation check complete and then click Create. 


7. Wait for your template to deploy successfully. Once complete, you will see the message 
shown in Figure 3-70. 


@ Your deployment is complete 
Deployment name: Microsoft.Template- 


Subscription: Contoso Security Operations 
Resource group: Sentinel-RG 


v Deployment details (Download) 


A^ Next steps 


Go to resource group 


FIGURE 3-70 A completed template deployment 


8. Navigate to Azure Sentinel in the Azure portal and open the Automation page. You 
should find that your newly deployed Playbook should now be listed under playbooks. 


NOTE AUTHORIZING THE CONNECTION 


Playbook templates will deploy connections, but sometimes you will need to authorize 
the connection after deployment before the connection is made. This is expected behav- 
ior and does not mean the Playbook template is broken. 


9. Open the Playbook and open the Logic App Designer. 


10. Expand the steps of the Playbook, and you will see the triggers and actions have already 
been prepopulated and configured by the ARM template that we deployed, as shown in 
Figure 3-71. 
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Q When Azure Sentinel incident creation rule was triggered (Preview) 


No additional information is needed for this step. You will be able to use the outputs in 
subsequent steps. 


Change connection. 


g Entities - Get Hosts (Preview) 
* Entities list | g Entities x 


Connected to Change connection 


For each 


* Select an output from previous 


Hosts x 
L awan 


Actions - Isolate machine 


*Machine ID | g Hosts Hostname x 


*Comment 


| Isolated from the automation within Azure Sentinel; 


Isolation Type | Full v 


dto Change connection. 


FIGURE 3-71 Checking a template deployment in Logic Apps designer 


11. This Playbook is ready to go and can now be attached to an analytics rule, as we 
discussed earlier in this section. 


Let's walk through what this Playbook is doing: 
1. When an incident creation rule is triggered, the Playbook will run. 


2. Details about the host entities from the Azure Sentinel incident that has been raised are 
sent to Microsoft Defender for Endpoint. 


3. Subsequently, those machines are isolated. 
Far quicker than any human, Azure Sentinel and Microsoft Defender for Endpoint have 
worked together to isolate the hosts that are part of a security incident to reduce the “blast 
radius” or impact of an incident and—if these machines have been breached by an attacker— 


are stopping the attackers from being able to cause any more damage or from moving laterally 
in your IT environment. 


CHAPTER3 Mitigate threats using Azure Sentinel 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


NOTE PLAYBOOKS ACROSS FROM-SCRATCH SOLUTIONS 


Remember that you can make Playbooks that span across Microsoft Defender solutions 
from scratch, as described earlier in this section; it’s not only templates that can be utilized. 


Skill 3-5: Manage Azure Sentinel incidents 


If you've only seen one part of Azure Sentinel before you started studying for the SC-200 exam, 
the incident part is likely to have been it. Incidents are the first thing that comes to mind for 
most people when they think of what a SIEM does, and this is entirely understandable because 
incidents are where the action takes place. This is where an SOC analyst will investigate what is 
happening or what has happened in the IT environment to trigger an incident, verify whether 
the incident is a false-positive, understand the blast radius of the incident, and so on. The 

core function of an SOC (and the SOC analysts who work in that department) is to deal with 
security incidents. 


This section of the chapter covers the skills necessary to investigate single- and multi- 
workspace incidents, triage and respond to Azure Sentinel incidents, and use User and Entity 
Behavior Analytics (UEBA) to detect threats according to the SC-200 exam outline. 


Investigate incidents in Azure Sentinel 


Investigating incidents is critical for an SOC analyst to understand the severity and scope of 
a potential security issue. The investigation graph in Azure Sentinel allows an SOC analyst 
to quickly and efficiently investigate and query alerts and entities in an incident, and Azure 
Sentinel assists by suggesting additional context-aware queries to be run. 


NOTE AZURE SECURITY INSIGHTS 


A fun fact: You might have noticed that when accessing Azure Sentinel in the Azure portal, 
the URL contains the name “Azure Security Insights.” You'll also find it referenced in Azure 
Sentinel Azure AD permissions. This was what Azure Sentinel was called in Microsoft before 
it was given its official name. Why do | mention this here? Well, Azure Sentinel is always 
offering insights into security issues and suggesting further things that could be queried 

in the investigation graph, so this is a great section to bring this fact up! 
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First, let's look at the Incidents page in Azure Sentinel that is shown in Figure 3-72. 


# of alerts in Incident 
Name of incident this incident created time Owner 
Rule severity Origin of alerts Incident updated time 
sil ră Open incider|ts by severity 
216 I 216 KA MEN | panan a | 
Oper| incidents Nilw incidents Active incidents E High NGO 0 Medium (32 Plow (15) Informational ($) 
Severity : All Status : Nhw. Active Product name : All Owner : All 

. 

C |ts incident io ty Tie Alerts Product names Created time t4 Last update time Owner 

go 04 Az A 1AM 2 A 

o aa 

o e e 2 

0O 83 ca azure Active Direct 02/21, 1044 AM ZI, NOMAN unassigned 


FIGURE 3-72 Navigating the Incidents page in Azure Sentinel 


The Incidents page that lists all the open incidents in Azure Sentinel is self-explanatory and 
contains details of each open incident such as the title, severity, created time, and the owner of 
the incident. An incident is a collection of alerts. 


NOTE SECURITYINCIDENTS TABLE 


The SecurityIncidents table contains details of all incidents that have occurred in your 
Azure Sentinel workspace—open or closed—and is commonly used for reporting SOC 
performance statistics, such as trends in the number of incidents raised over time, time 

to triage, and so on. Azure Sentinel only stores the details of incidents for as long as your 
workspace retention is set to, so remember to align your SecurityIncidents table retention 
period with your SOC reporting needs. 


So we've selected our incident that we want to investigate; let's dig into how we do this: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 

2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 

3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 

4. Click Incidents. The Incidents overview page appears. 

5. Select the incident you want to investigate and click View Full Details. The Incident 


page appears. 
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Click Investigate. You will be taken to the investigation graph. What you see on this 
page depends on the incident itself, but the structure of the interface is shown in 


Figure 3-73. 
Name of incident Rule severity Status Owner Incident updated time 
Investigatibn x 
Éh suspicious impersonated .. T Low >< New & Unassigned © svareoai. 12:03:21 PM 
Incident Savery Status Caner List incident update time 
a 8 
+ 
0 
& 
F 
© 


FIGURE 3-73 The incident investigation graph in Azure Sentinel 


Additional investigation panes 


Figure 3-74 shows that alerts contained in the incident are denoted by a large circle 
containing an exclamation point. If you click the circle, a summary of the alert is shown 
on the left side of the investigation graph. 


fa 


USPICIOUS HNIPETS... 


g Suspicious impersonated activity 


yNan 
Suspicious impersonated activity 


ptio 
The user impersonated more 
than 5 different accounts in a single session. 
Additional risks in this user session: This user is an 
administrator in Office 365 (Default). Microsoft 
Exchange Online was accessed from 


Unknown 


Severity 


Low 


FIGURE 3-74 Drilling into an alert in the investigation graph 
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8. Figure 3-75 shows the entities that are related to the alert in question. They are linked 
in the investigation graph with lines. If you hover over an entity, Azure Sentinel will sug- 
gest further context-aware further queries that an SOC analyst might want to run to un- 
derstand and investigate the incident further. In Figure 3-75, Azure Sentinel is suggest- 
ing that a number of different queries could be run against the account in question; let's 
look at the Hosts The Account Failed To Log In To The Most query. If a user account 
has been compromised, understanding which hosts it has tried and failed to log in to 
can help an SOC analyst understand what other devices might be compromised and 
what kind of resources an attacker is looking to access in an organization's environment. 


Userentity Queries 


FIGURE 3-75 Drilling into an alert in the investigation graph 


9. Clicking the suggested query will display the results of that query in the investigation 
graph, too. Figure 3-76 shows that after running the Hosts The Account Failed To Log 
In To The Most query, additional entities are added to the investigation graph, and 
their relationship to the rest of the incident is displayed. 


FIGURE 3-76 Additional host entities added to the investigation graph 
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10. Theseadditional entities can also be gueried further to dig even deeper into what is hap- 
pening in an incident. This can help an SOC analyst get a full picture of what is happening. 
Theoretically, this querying of entities could go on ad infinitum, but an SOC analyst usually 


will need to dig only a few “layers” deep to perform an effective investigation. 


11. Let's review the additional investigation panels that can also be used for investigation: 


= Timeline The Timeline panel will order all alerts in date and time order so that 
an SOC analyst can understand the order in which events in the incident happened 


(see Figure 3-77). 


| 0 Suspicious impersonated activity 


© Suspicious impersonated activity 


= 


Timeline 


(©) 


nfo 


e 


FIGURE 3-77 The timeline panel in the investigation graph 


= Info The Info panel provides more in-depth information about the selected alert 


or entity. 


m Entities The Entities panel provides a summary of the entities being displayed in 


the investigation. 


m Insights The Insights panel (see Figure 3-78) shows other insights about an entity 
that Azure Sentinel’s built-in UEBA engine thinks is relevant and useful for an SOC 


analyst to know. 


v Actions on accounts © 
No results 


v Event Logs cleared on host © 


No results 


v Group additions © 


No results 


Enumeration of hosts, users, groups on 
host 


NA 


\ 


No results 


v Host IP address remote connections © 


Timeline 


Help 


FIGURE 3-78 The insights panel in the investigation graph 
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EXAM TIP 


When preparing for the SC-200 exam, spend some time investigating incidents via the inves- 
tigation graph. Incidents are highly contextual, and it isn't possible to list or show all the 
possible insights and queries that Azure Sentinel might suggest. 


Triage incidents in Azure Sentinel 


Most of us are familiar with the concept of triage from a medical perspective, but how does 
that work in security operations? This is the dictionary definition of triage: 


“The process of examining problems in order to decide which ones are the most serious and 
must be dealt with first.” 


Therefore, it’s easy to see why triaging incidents is a critical activity for an SOC to decide how 
to prioritize which incidents to work on first. 


How can we triage incidents in Azure Sentinel? There are several ways that this can be done, 
and a real-life SOC analyst would use a combination of these methods to maximize their triage 
effectiveness. It's important to remember that triage won't look the same for every organi- 
zation: What one organization considers to be a high-severity incident might be another's 
medium- or low-severity incident. SOC managers and analysts must work closely with their 
business stakeholders and technology risk professionals to align severity ratings with their 
security posture and risk tolerance. 


When an incident is raised in Azure Sentinel, it can be triaged in several areas. Following is a 
chronological look at the lifecycle of an incident: 


= Inan analytics rule As discussed earlier in this chapter, when you configure an ana- 
lytics rule, you must set the initial severity. This initial severity rating will help an SOC 
analyst decide how to triage the incident. 


= Ina watchlist |f entities in the incident match a watchlist (for example, VIP users), an 
analytics rule can be configured to make the incident higher or lower severity. 


= How many alerts are part of the incident As shown earlier in this chapter, it's pos- 
sible to configure an analytics rule to collect alerts in a set time period to be collected 
into one incident. An incident that involves many alerts is likely to be set at a higher 
priority than one with fewer alerts. 


m Using TI matching Threat intelligence can be used to check if there are IOC (indica- 
tors of compromise) matches with any TI feeds that Azure Sentinel is ingesting. For 
example, if an IP address is raised in an incident, an analyst could run a Playbook to 
determine if this was a known-malicious IP and reference a third-party service such as 
Virus Total. If the IP was found to be a known-malicious IP, then the severity could be 
increased, and it could be prioritized. 
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m Using enrichment from third-party sources Similar to the previous point, enrich- 


ment doesn't just have to be about TI. Enrichment could be an inventory management 
system that stores the criticality of an asset. This means an incident raised against a 
single user desktop might only be classified as being a low-priority incident. However, 
an incident raised against an e-commerce company’s web servers could be critical to 
investigate and resolve, and thus, it might be considered to be a high-priority incident. 
Once again, this could be automated in either a Playbook that is run as the incident is 
triggered, or it could be a manually run Playbook during the course of an investigation. 


Respond to incidents in Azure Sentinel 


Now we've investigated and triaged an incident, we need to respond to resolve it. Azure Senti- 
nel makes this easy with automation. In this section, we will look at how you can run Playbooks 
to resolve incidents, so we're not talking about how we can trigger automation to happen 
when an incident is raised; instead, we're talking about the next step. 


Let's work through an example incident: 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Incidents, which opens the Incidents overview page. 
Select the incident you want to respond to and click View Full Details. 


A list of all alerts that are part of an incident are shown on the Timeline tab (see Fig- 
ure 3-79). 


Timeline (Preview) Alerts Bookmarks Entities (preview Comments 


Timeline content: All Severity: All Tactics : All 


View playbooks 


Ma 1) | Suspicious Remote WMI Execution 


Detected by Microsoft Defender for Endpoint | Tactics: + 


FIGURE 3-79 Viewing alerts on the Timeline tab 


Click View Playbooks, and you will be taken to the Alert Playbooks page where all 

Playbooks that have been configured in the workspace will be listed. By clicking Run, 
you can trigger one or more Playbooks to run in the context of the selected alert (see 
Figure 3-80). 
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Playbooks Runs 


Name Ty Status Ty 


4.) Get-MDATPinvestigationPackage J Fnabled 


Ma] |solate-MDATPMachine Enabled 


4.) Run-MDATPAntivirus D) Fnahled 


FIGURE 3-80 Selecting a Playbook to run against an alert in an incident 


8. The SOC analyst who has been assigned the incident can then update the case notes as 
appropriate on the Comments tab of the incident’s page (see Figure 3-81). 


Sarah Young 05/29/21, 02:46 PM 


Have responded to this incident by running playbooks, all now resolved. 


FIGURE 3-81 Posting comments on the incident tab 


Q EXAM TIP 
Remember, for your SC-200 exam, everything rolls up to Azure Sentinel, so this is where you 
should always be driving incident investigations toward triage and response from Azure 
Sentinel. If necessary, you might need to drill down into individual Microsoft security ser- 


vice portals. 


Investigate multi-workspace incidents 


When preparing for the SC-200 exam, it's important to remember that there are two types of 
multi-workspace scenarios that you might be asked about in relation to Azure Sentinel: 


m Cross-tenant scenario Where multiple Azure tenancies each have Azure Sentinel 
workspaces that need to be centrally managed 


m Cross-workspace scenario Where there are multiple workspaces in one Azure 
tenancy that need to be centrally managed 
At the beginning of this chapter, we discussed the considerations when designing Azure Sen- 
tinel workspaces and why some organizations might require more than one workspace in their 
deployment. Some customers might also choose to outsource the running of their SOC to a Man- 
aged Security Service Provider (MSSP) that will handle security operations on their behalf. 
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Aside from Azure Lighthouse, there are several Log Analytics and Azure Sentinel features 
that allow you to investigate incidents across workspaces in the same Azure tenant. 


= Cross-workspace analytics rules Analytics rules can be configured to search other 
workspaces when they are correlating logs. To enable this capability, we have to use the 
workspace and union KQL operators. Using the queries we used in the “Define incident 
creation logic’section earlier in this chapter, let's see how we would need to update 
them to make them cross-workspace. This is the original query: 


OfficeActivity 
| where OfficeWorkload == "Exchange" 


To make convert this to a cross-workspace query, it would become: 


union 

workspace('<workspaceA>' .OfficeActivity 

| union workspace('<workspaceB>') .OfficeActivity 
| where OfficeWorkload == "Exchange" 


m Cross-workspace hunting queries Like cross-workspace analytics rules, the work- 
space and union KQL operators can be used in hunting queries to proactively detect 
threats and anomalies across multiple workspaces in an environment. 


m Cross-workspace workbooks The workspace and union KOL operators can also 
be used to display consolidated statistics and visualisations from different workspaces. 
This is particularly useful for centralized reporting for an SOC that uses more than 
one workspace. 


NOTE CROSS-WORKSPACE ANALYTICS RULES 


There are a few things to be mindful of when using cross-workspace analytics rules. All the 
workspaces involved in the query must have Azure Sentinel installed. (You can't do it with 
just a Log Analytics workspace.) You can search a maximum of 20 workspaces in one rule. 
The incidents and alerts raised by the cross-workspace analytics rule will only appear in the 
originating workspace from which the rule is being run. 


Identify advanced threats with user and entity behavior 
analytics (UEBA) 


Traditionally, user and entity behavior analytics (UEBA) was not incorporated into a SIEM solu- 
tion. Instead, you would have to buy a third-party product or add-on to be able to get these 
insights. Having the power of UEBA built into Azure Sentinel—and have it as part of the same 
interface—allows SOC analysts to focus on a particular entity as part of their investigation. 
Also, Azure Sentinel's UEBA can provide insights about an entity's anomalous activities and 
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behaviors. These insights are based on that entity's previous behavior, and those behaviors are 
with the behavior of its peers (if a user) or similar endpoints (if a host). Figure 3-82 takes a look 
at the architecture of the UEBA feature. 


Customer Data 
Users & groups 
information 


Sentinel rod. © D 
Q Raw data p= i ai and 


Azure AD 


Cloud UEBA engine 


On premises 


UEBA tables 


FIGURE 3-82 UEBA architecture overview 


As you can see in Figure 3-82, Azure Sentinel's UEBA engine takes in raw data sources— 
from both the cloud and on-premises—that has already been ingested into the workspace, 
and it then takes users and groups information from Azure AD, enriches it all, and then 
populates the dedicated UEBA tables in Log Analytics. You will find these UEBA tables in your 
workspace (listed under Azure Sentinel UEBA) after you have enabled this feature. 


By default, UEBA is not enabled in Azure Sentinel, so let's first look at how to enable it: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Entity Behavior. The Entity Behavior page appears, as shown in Figure 3-83. 
5. Click Configure UEBA. 
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s” Azure Sentinel | Entity behavior 


Enable UEBA 


Enable UEBA to benefit from 


Search (Cute 
General 

Q Overview 

P Logs 

“b News & guides 
Threat management 
& incidents 

@ Workbooks 

© Hunting 

E Notebooks 

@ Entity behavior 
D threat intelligence (Preview: Search for acco 
Configuration 

WW Data connectors 

È Anyta 

E Watchlist (Preview) 


% automation 


6 Community 


O senings 
Accounts by # of alerts 


FIGURE 3-83 The Entity Behavior page in Azure Sentinel 


You will be taken to the Entity Behavior Analytics Settings page. Click Configure 
UEBA one more time, which will open the Entity Behavior Configuration page, as 


shown in Figure 3-84. 


Home > Azure Sentinel 


Entity behavior configuration 


1. Tum on the UEBA feature to sync Azure Sentinel with Azure Active Directory, creating profiles for the users and entities in your organization. Learn more. 


oF or a Secunty Administrator in your Azure Actwe Directory can tum this feature on or of 


& On A Only a Global Administ 
2. Select the existing data sources you want to enable for entity behavior analytics 


m u Azure Activity 


Microsoft 


After connecting the following data sources you will be able to enable them for entity behavior analytics 


& Audit Logs 
Microsoft 
ii Security Events 
Microsoft 


æ Signin Logs 


Microsoft 


FIGURE 3-84 The Entity Behavior configuration page in Azure Sentinel 
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7. Select the data sources that you want to enable for UEBA. You can only enable data 
sources for UEBA that are already being ingested into your Azure Sentinel workspace. 


8. Click Apply. You have now enabled UEBA for the data sources you selected in your 
Azure Sentinel workspace. 


NOTE ADDITIONAL INGESTION CHARGES 


Be mindful that turning on UEBA will generate additional ingestion charges for your 
Azure Sentinel workspace because new UEBA tables are created, and data is stored in 


them for the feature to work. 


9. Now let's explore the entity pages that use the UEBA feature: Return to the Entity 
Behavior page, as shown in Figure 3-85. 


 Bearch for accounts, hosts or host IP addresses 


Accounts by # of alerts Hosts by # of alerts 

aj @ 6.9K a 07 
à @ 22K ia Os 
4 Q 537 a Os 
= Ọ 534 ua 92 
å @ 161 a) Qı 


FIGURE 3-85 The Entity Behavior page in Azure Sentinel 


TIP ENTITY BEHAVIOR PAGE POPULATION 


In real life, after you have turned on UEBA, it can take an up to an hour for the Entity 


Behavior page to start being populated. 
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10. The top accounts and hosts by number of alerts will be shown. You can click them to be 
taken to that entity's page, as shown in Figure 3-86. 


Time range : 5/5/2021, 2:58:36 PM - 5/6/2021, 2:58:36 PM 
Insights 


Events and alerts over time 


User Peers Based on Security Groups Membership 


Mo resi 


| shai 
86 Actions on account 
as í Wa | po Mo reta 


Event Logs cleared by user 
Alerts and activities timeline No raath 


| @ Suspicious Remote WMI Execution 


Group additions 
No resets 


< Anomalously high office operation count 
No remets 


~ Anomalously high Azure sign-in result count 
Mo rest 


UEBA Insights 
No resa 


FIGURE 3-86 User entity page in Azure Sentinel UEBA 


Both entity and host pages are similar, follow a theme that is familiar to other pages in 
Azure Sentinel, and have a focus on timeline and insights: The page will show all the alerts 
related to that entity in a timeline fashion. Insights about that entity are found on the left side 
of the page. Insights are based on the following data sources: 


m Syslog (Linux) 

m SecurityEvent (Windows) 

m AuditLogs (Azure AD) 

m SigninLogs (Azure AD) 

m OfficeActivity (Office 365) 

m BehaviorAnalytics (Azure Sentinel UEBA) 
m Heartbeat (Azure Monitor Agent) 

= CommonSecurityLog (Azure Sentinel) 


Entity pages and UEBA functionality are designed to fit into a larger incident investigation 
and management piece when an SOC is using Azure Sentinel, and they highlight anomalous 
behaviors and help with triaging. 


EXAM TIP 


For the SC-200 exam, make sure you understand what UEBA is and how it can be used to 
assist in investigations. 
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Skill 3-6: Use Azure Sentinel workbooks to analyze 
and interpret data 


If you used Azure Sentinel during its initial public preview phase back in 2019, you might re- 
member that the workbooks page in the user interface was simply called “dashboards.” While 
workbooks in Azure Sentinel do provide the basis for displaying data and information from the 
product in various formats that could be used as a dashboard, the reality is that workbooks are 
much, much more than that. They can be used for guided querying and assisting SOC analysts 
to focus their attention on the most critical incidents and events in their environments. 


This section of the chapter covers the skills necessary to activate and customize Azure Senti- 
nel workbook templates, create custom workbooks from scratch, configure advanced visual- 
izations, analyze data using workbooks, and track incident and SOC metrics using the security 
operations efficiency workbook according to the SC-200 exam outline. 


Activate and customize Azure Sentinel workbook templates 


As s you spend more time getting familiar with Azure Sentinel, Microsoft has provided out- 
of-the-box templates for workbooks that you can add to your workspace and customize them 
with minimal time spent on overhead. Workbook templates typically exist for any built-in data 
source for which you can find a connector in the data connectors gallery. Remember, there are 
workbook templates that aren't directly related to a single specific data source, so make sure 
that you look through the workbook template gallery carefully and activate any workbooks 
that are relevant to your environment. 


NOTE MANAGING AZURE SENTINEL WORKBOOKS 


Azure Sentinel workbooks use Azure Monitor workbooks as their base, so if you've used 
those workbooks before, you will know how to manage Azure Sentinel workbooks. 


Let's look at how to activate a workbook template in your Azure Sentinel workspace: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 
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3. 
4. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 


Click Workbooks. The Workbooks gallery appears, as shown in Figure 3-87. 


a Azure Se 


Selected workspace: ‘sentinel-workspace’ 


P Search (Ctri+/) 


General 
9 overview 
® Logs 


@ News & guides 


Threat management 
& incidents 

@ Workbooks 

© Hunting 

@ Notebooks 

@ entity behavior 


® Threat intelligence 


Configuration 

Data connectors 
Analytics 

Watchlist (Preview) 
Automation 


Solutions (Preview) 


$oOoOe Be ae 


Community 


% 


Settings 


ntinel | Workbooks 
| 4 © Refresh -+ Add workbook 
Mo 105 AO 
Saved workbooks Templates Updates 


My workbooks Templates 


| P Search 
°o Security Alerts 
MICROSOFT 
9 Security Operations Efficiency 
MICROSOFT 
(Preview) A 
Security Status 


MICROSOF 


Sentinel Central 
AZURE SENTINEL COMMUNITY 


0 SharePoint & OneDrive 
MICROSOFT 


SolarWinds Post Compromise Hunting 
MICROSOFT 


— Sophos XG Firewall 
SOPHOS 


FIGURE 3-87 Workbooks gallery in Azure Sentinel 
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5. 


6. 


7. 


Select the workbook you want to activate in your Azure Sentinel workspace, and the 
preview bar appears on the left side of the screen, as shown in Figure 3-88. 


Security Operations Efficiency 
MICROSOFT 


(e 


Required data types: © 


SecurityAlert 


iv] Securityincident 


View template | 


FIGURE 3-88 Workbook template summary 


Save | 


Click View Template. This will show you a preview of the workbook using the data in 
your workspace. 


NOTE REQUIRED DATA TYPES 

Aworkbook template displays Required Data Types and will indicate if the logs required 
for the workbook to function properly are available in your workspace. Be prepared for 

a few errors if you activate the template and don't have all the logs that the workbook uses! 


Return to the workbooks gallery, and this time, select the workbook you want to 
activate and click Save. 
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You will be prompted select what location you want to save the workbook to, as shown 
in Figure 3-89. 


Save workbook to... 


Select a location where you want to save this workbook © 


Australia Southeast Vv 


| E 


FIGURE 3-89 Saving a workbook in the workbooks gallery 


Choose your desired location and click OK. 


10. You will notice that the button options for that workbook have changed, and you now 


have the View Saved Workbook option, as shown in Figure 3-90. 


Analytics Efficiency 
MICROSOFT 


es. In this w 
worksp 


performance by your SOC, 


Required data types: © 
@ SecurityAlert 
iv) Secunitylncident 


View saved workbook View template | Delete | 


FIGURE 3-90 A saved workbook in the workbooks gallery 
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11. Click View Saved Workbook. 


12. You will be taken to your saved workbook template, which is populated with the data 
from your workspace, as shown in Figure 3-91. 


Azure Activity - sentinel-workspace 2 


Caller: All v ResourceGroup: All v 


Top 10 active resource groups 


All Sentinel-RG sentinel-rg SENTINEL-RG cloud-shell-storage-sou... 


1997 1619 1297 15 113 


als LNA aN m sah 


Activities over time 


|39 deletions (Sum) Grn creations (Sum} 1 updates (Sur! b Activites (Sumt 


130 1151 1997 


FIGURE 3-91 A saved workbook in Azure Sentinel 


13. If required, you can now use the Edit button and customize this template. 


Create custom workbooks 


Although workbook templates cover many use cases and eventualities in Azure Sentinel, in a 
large, complex organization, it is likely that you might need to create a workbook for reporting 
specific items for your organization from scratch. 


EXAM TIP 


It’s important that you know how to effectively create a useful, custom workbook for your 
SC-200 exam. 


266 CHAPTER3 Mitigate threats using Azure Sentinel 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Let's look at how to create a useful, custom workbook: 


1. 
2. 


6. 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Workbooks. The Workbooks Gallery appears. 
Click Add Workbook. The New Workbook page appears, as shown in Figure 3-92. 


Home Azure Sentine’ 


New workbook +2 


sentinel-w ce 


o 


Ê tdt Gon G O A 2 © ? Help D Auto refresh: Off 
New workbook 


Welcome to your new workbook. This arca will display text formatted as markdown. 


We've included a basic analytics query to get you started. Use the cdit button below cach section to configure it or add more sections 


AnueActnity | Thraatintetligencaindicatce | kane | TetCustami nge Al | UserProrAnabytics | Rehavinr Analytics | Haartheat 


It.” 1402" lée 135° |227 ht [3 


FIGURE 3-92 Opening a new custom workbook 


Click Edit, and you will now be able to add items to your custom workbook, as shown in 
Figure 3-93. 


+ Add v 

[I Add text 

</> Add parameters 
¥= Add links/tabs 
ii Add query 

4 Add metric 


D] Add group 


FIGURE 3-93 Adding new items to a custom workbook 
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7. Let's briefly explain the items in the Add column: 


m Add Text As this self-explanatory option implies, text can be added to your work- 
book to explain the purpose of the workbook or any additional explanation of the 
visualizations being shown. Text in workbooks is formatted as markdown. 

= Add Parameters This is where parameters that can be iterated throughout the 
workbook are defined as shown in Figure 3-94. 


New Parameter x 


sentinel-workspace 


save X cancel ? Help 


Settings Advanced Settings 


Parameter name * © Enter name 
Display name © 
Parameter type C) Text v 


Parameter field style ssword Multiline 


Required? G 


Explanation © What is this parameter used for? 


Hide parameter in reading mode U 


Gel dala from © ( None | Query 


Previews 


When editing. your parameter will look like this 


When not editing, your parameter will look like this 


<unnamed>: <unset> 


FIGURE 3-94 Adding parameters to a custom workbook 


=m Add Links/Tabs This self-explanatory option allows you to add relevant links and 
tabs to your workbook. 


m Add Query Arguably, the most important aspect of customizing workbooks, this 
is where you can add KQL queries that will bring back data to the workbook to be 
displayed. If you've learned KOL for searching logs and writing analytics rules, you'll 
have a good idea what is required here from a query language perspective. There are 
several different visualizations that you can choose to use, which can be set in the user 
interface or in the query itself using the render KQL operator shown in Figure 3-95. 


EXAM TIP 


Study some of the workbook templates and how they structure their KQL queries to help 
you understand how to construct KQL queries for visualizations in workbooks. 
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o Editing query item: query - 2 
@ settings SE Advanced Settings O style </> @ Advanced Editor 
Query change) Time Range © walization Sze C 
Samples sentinel-workspace v Sma! v Chart Settings 
Tablename 
render barchart 
Bar chart (Categoncal, 
Bar chart (Unstacked 
Line chart 
Pre cha 
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Ea _ 
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Graph 
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Done Editing © Cancel + Add < “> Move D clone i Remove 


FIGURE 3-95 Choosing a visualization in a workbook query 


m Add Group This is where workbook items can be grouped logically to make 
management of the workbook easier. 


8. When you've finished creating your custom workbook, click Save. 


9. Choose where you want to save your custom workbook to, as shown in Figure 3-96. 


Title * Subsenption * Resource group * © Location * 


Azure Sentinels Report 1 Contoso Security Operati.. v Sentinel-RG v (US) East US v 


[Z] Save content to an Azure Storage Account 


FIGURE 3-96 Saving a custom workbook 


Configure advanced visualizations 


There are many visualization options to choose from in Azure Sentinel when creating work- 
books. Choosing the “correct” visualization for the data being displayed will be—to a large 
extent—a personal preference for those individuals creating the workbook and the organiza- 
tion’s preferences for how the data is to be displayed. 


Having said this, certain query results don't display well (or at all) in certain types of visual- 
izations. In preparation for your SC-200 exam, make sure you are familiar with what does and 
doesn't work in terms of the different visualization options and query results in Azure Sentinel. 
For example, queries that use the bin operator to summarize query results usually display best 
with a line or bar chart. 
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Q EXAM TIP 


The Visualizations Demo workbook template found in Azure Sentinel (see Figure 3-97) is 
a template specifically designed to showcase different types of workbook visualizations. 
Make sure that you use it to help your SC-200 studies! 


Fo) Visualizations Demo 
AZURE SENTINEL COMMUNITY 


Azure Sentine 


Required data types: © 
iv) SecurityAlert 


ios lasa” lz lz lē lz lš b 


FIGURE 3-97 The Visualizations Demo workbook template 


Let's look at some of the visualization options available for you to use in workbooks: 


m Charts Available chart types include line, bar, pie, and time. You can customize the 
chart's height, width, color palette, legend, titles, and so on. Also, you can customize 
axis types and series colors using the chart settings. Figure 3-98 shows an example pie 
chart in a workbook: 


22.3« 

Microsoft Defender Advanced Threat Prote... 
6.43 « 

Microsoft Cloud App Security 

1.53« 

Azure Active Directory Identity Protection 
1.13 « 

Other 

573 


Azure Advanced Threat Provection 


518 


32.5k 


FIGURE 3-98 Pie chart in an Azure Sentinel workbook 
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m Grids Grids display the results of a query not unlike the results seen in the Log 
Analytics query interface, so using KQL you can choose the columns that appear in 
the grid. Figure 3-99 shows an example grid in a workbook. 


Text Grids. Tiles Charts and Graphs Time Brushing Oynamic Content Personalization 
This is an example of text being put in a workbook. This workbook shows different types of visualizations that can be achieved in Sentinel workbooks 


Tene Parameter: Last 24 hours w 


Tenantid ty  TimeGenerated ty OlsplayName ty AlortName 


FIGURE 3-99 Example grid in an Azure Sentinel workbook 


m Tiles Tiles are a method of presenting summarized data in workbooks. Figure 3-100 
shows an example of tiles in a workbook: 


All Sign-ins Success Failure Pending user action 


|46.5« 142.6 3.38x 494 
IARI Amn PAN KENANG, 


FIGURE 3-100 Example tile in an Azure Sentinel workbook 


= Graphs Graphs can show the relationships between entities in the logs they are 
analyzing. See Figure 3-101 for an example of a graph visualization: 


Teams and External Collaboration 


External Collaboration via Teams 


Microsoft Teams Sync Microsoft Teams Syre 
1 27 
trean isy 


FIGURE 3-101 Example graph in an Azure Sentinel workbook 
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View and analyze Azure Sentinel data using workbooks 


So far in this part of the chapter, we have discussed how you can configure and create work- 
books, but next we'll focus on how to use workbooks in the context of an SOC analyst respond- 
ing to or investigating incidents. How an SOC uses workbooks is, of course, highly contextual 
and will depend on the organization's wider IT operations processes, so this section will look 

at how workbooks can be used by an SOC in a more general context and explore some of the 
main analytical concepts. 


For this example, we're going to be using one of the built-in workbook templates, the Azure 
AD Sign-In Logs workbook: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Workbooks. The Workbooks gallery appears. 

5. Click the Azure AD Sign-In Logs Workbook. 

6. Click View Saved Workbook. The Sign-in Analysis Workbook appears, as shown in 


Figure 3-102. 
Sign-in Analysis 
Apps: AN v UserNamePrefoc All ~ UserName: All v Category: All V Country: All w 
All Sign-ins Success Failure Pending user action 
120.3« 119.4« 703 283 
NWA IANA Am ALA 
Q Click on a tile 
Sign-ins by Location 
Name ty Sign-incount ty Trend Failure Count 4 Interrupt Count ty Category 
O >us 1.227K Oe a AJN A 28 157 
O >e 76 x ilog 
n 854 grintog 
O >: 172 > 7 “n 


FIGURE 3-102 Azure AD Sign-in Analysis workbook 


7. Let's look at this workbook from the perspective of an SOC analyst who wants to look 
for unusual activity in the Azure AD sign-in logs. As we can see in Figure 3-102, the 
number of sign-ins for each country is shown, as well as the trend for sign-ins from each 
country for the time range specified. The TimeRange is set to Last 7 Days. 
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10. 


11. 


Clicking in the Sign-Ins By Location box allows you to drill-in to more specific locations 


in the U.S., as shown in Figure 3-103. 


Sign-ins by Location 


Name TL Sign-inCount Ty Trend Failure Count T, InterruptCount T4 Category 
O wus 1.227K MERA CR 157 SigninLogs 
wn NANANG 
LJ Pflugerville 43 i hi 4 18 SigninLogs 
go Pflugerville 43 4 18 SigninLogs 
9 = eee 9 
o Redmond 52 1 14 SiyninLoys 
= ALA 
LJ Redmond 52 1 14 SigninLogs 


FIGURE 3-103 Drilling into sign-in locations detail by country 


We can see that both Redmond and Pflugerville are the most recorded locations for 
sign-ins in this workspace in the past 7 days and that there have been a couple of small 
spikes in sign-ins from these locations in the past week. (We can observe this by looking 
at the Trend column.) 


Moving further down the workbook, the SOC analyst can analyze the number of suc- 
cessful versus unsuccessful sign-ins, as shown in Figure 3-104. 


Troubleshooting Sign-ins 


Success Success Failure Pending action (Interrup.... Failure 


116« 3.4x 612 283 91 


Summary of top errors 


% Error Code TY Reason TL EnorCount ty Category tL 
50126 nyah username or password or Invalid on-premise username or password 68 SigninLogs 


FIGURE 3-104 Checking the Troubleshooting Sign-Ins section 


The workbook also shows the Summary Of Top Errors for the selected time period. 
Figure 3-104 shows that in this instance, the top sign-in error was Fresh Auth Token 

Is Needed. Have The User Re-Sign Using Fresh Credentials, followed by Invalid 
Username Or Password Or Invalid On-Premises Username Or Password. This infor- 
mation can assist an SOC analyst in understanding the baseline of the environment they 
manage, as well as help them look for anomalies. 
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12. The SOC analyst can choose to focus in on a specific user or change the time period that 


the workbook displays; this can be done via the parameters tabs—TimeRange, Apps, 
UserNamePrefix, and UserName—at the top of the workbook, as shown in Figure 3-105. 


TimeRange: | Last 7 days A 


Last 5 minutes 


Apps: All w UserNamePrefix All w 


All Sign-ins Last 15 minutes ‘ailure 


66 Last 30 minutes 66 
P __ Last hour | Pee | ao | 


Last 4 hours 
Last 12 hours 

9 Click on a tile id to drill-in further 
Last 24 hours 


Sign-ins by Lo Last 48 hours 


| & Search Last 3 days 
Last 7 days 
Name foe incount ty Trend Failure Count Ty Interruptcount Ty 
Last 14 days 
g >us D Naam), — E 
Last 30 days 
O >ca 1 0 


Custom 


FIGURE 3-105 Changing the parameters of a workbook 


13. Finally, it might be necessary to print a hard or soft copy of the workbook to give to 


management for reporting purposes. This can be done by clicking the ellipsis (three 
dots) to the right of the workbook’s title, as shown in Figure 3-106. 


Home > Azure Sentinel 


Visualizations Demo +< 


sentinel-workspace 


D Copy title to clipboard 


Da fı z 
O D Auto refresh: off tS) Print content 


7 Toggle full screen view 


Content Personalization 


Text. Grids, Tiles Charts and Graphs 


FIGURE 3-106 Printing a workbook in Azure Sentinel 


Track incident metrics using the security operations 
efficiency workbook 


Although all the Azure Sentinel workbook templates are very useful—they’'ve all been written 
by experts in their field—they are often tied to a particular data source and will not be useful 
if you are not ingesting that data source into your Azure Sentinel workspace. However, the 


CHAPTER3 Mitigate threats using Azure Sentinel 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Security Operations Efficiency workbook is a workbook that uses the SecurityIncidents table 
to allow you to track key SOC metrics, such as the number of incidents raised, their severity, 
mean time to triage, and so on. Regardless of your organization's security operations processes 
and the data sources you ingest, you will want to track key performance indicators (KPIs) of 
your SOC. (And even if you don't, your management probably will!) 


EXAM TIP 


For the SC-200 exam, it’s important that you're familiar with the Security Operations Effi- 


ciency workbook and the metrics that it can provide for reporting on an SOC’s performance. 


Let's walk through this workbook to learn more about reporting: 


Navigate to the Azure portal by opening https://portal.azure.com. 

In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 

Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Workbooks. The Workbooks gallery appears. 


Click the Security Operations Efficiency workbook. The Security Operations Effi- 
ciency workbook appears, as shown in Figure 3-107. Here, you can see various SOC 
operational metrics for reporting purposes. In Figure 3-107, we can see that there was a 
large spike in new incidents on about May 2 and that most incidents are being raised as 
high-severity incidents. 


Security Operations Efficiency $ 
Pun Goen B O G6 
Security Operations Efficiency 


Subscription Workspace Incident Creation Time Severity Tactics Owner Product Name Show Help 


Incidents created over time 


had Lha Lia = caddis. 
Pa 


Incidents created by severity Incidents crested by owner incidents created by status MI 


m T © is ie IP © Iie Ia NG 


FIGURE 3-107 Security Operations Efficiency workbook 


Skill 3-6: Use Azure Sentinel workbooks to analyze and interpret data 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


275 


6. Scrolling further into the workbook, we can see two key SOC operational metrics. Mean 
Time To Triage and Mean Time To Closure are—along with the number of incidents 
and severity—very commonly used SOC reporting metrics. (The example in Figure 3-108 
shows a very slow SOC team. Mean Time To Triage should be much less than one day 
in real life. Fortunately, this is not a real SOC!) 


Mean time to triage Mean time to closure 


11.082 days 11.13 aays 


FIGURE 3-108 Mean Time To Triage and Mean Time To Closure 


Q EXAM TIP 


Make sure that you are familiar with the typical metrics that SOC managers use for KPIs 
and how to display these in a workbook in Azure Sentinel. Most of this should be covered 
in the security operations efficiency workbook, but you should study the queries behind 
the workbook so that you understand how to query the SecurityIncidents table to obtain 
these metrics. 


Skill 3-7: Hunt for threats using the Azure Sentinel portal 


Hunting is the proactive side of threat detection in security operations. While much focus is 
put on the reactive side of detection (creating alerts and incidents in response to patterns of 
behavior being correlated across log sources), as an SOC increases in maturity, it should be 
moving toward proactive threat hunting and looking for potentially suspicious activity before 
it triggers a detection rule. 


This section of the chapter covers the skills necessary to create custom hunting queries; 
manually run hunting queries; monitor using Livestream; perform hunting using notebooks; 
track query results with bookmarks; use those bookmarks in investigations; and convert a 
hunting query into an analytics rule. 
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Create custom hunting queries 


If you're reading this chapter from start to finish, you probably already know what this topic is 
going to start with: Microsoft includes many Sentinel hunting queries that you can use right 
out of the box that have been written by security experts. Before you take the time and effort 
to write a custom query, do look through the built-in hunting queries to see if they will meet 
your requirements. Hunting queries don't have templates. The out-of-the-box queries exist in 
your hunting queries list, and you can’t edit them like you are able to with analytics rules and 
workbooks. If you want to edit an out of the box hunting rule, you will need to re-create the 
whole rule with your edited KQL query. 


TIP HUNTING QUERIES VERSUS ANALYTICS RULES 


If you're unsure about the differences between a hunting query and an analytics rule, use the 
out-of-the-box hunting query templates to give you an idea. Typically, hunting queries are 
looking for a single or limited series of events that might be an indicator of a security issue, 
but in isolation, they would not necessarily be sufficient to raise an incident immediately. 


Let's look at how to create a custom hunting rule in Azure Sentinel: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 


4. Click Hunting. The Hunting page appears, as shown in Figure 3-109. 


© Azure Sentinel | Hunting 
= SKELE = 0/7 So Ro 
? 
9 c] LA $ > A z - = =. > AI a 
a 0 2 4 4 10 8 s 3 1 2 4 n 18 
a 
o s Al Se AN AH AN Te AR 
G ti i na 
7 * IN 
= * ve 
Contig * -Ej 
Bo * š 
4 * AI 
a * a 
E * >37 
å kal a act 
e * a act 
o * Rupa 
* OFA 
* R imeat 
FIGURE 3-109 The Hunting page in Azure Sentinel 
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5. Click New Query. The Create Custom Query page appears, as shown in Figure 3-110. 


Home > Azure Sentine 


Create custom query 


SecurityEvent 
where ParentProcessName contains “powershell.exe™ 


Entity mapping 


Entity Type 


FIGURE 3-110 Create Custom Query 


Following is the KQL of the query shown in Figure 3-110: 


SecurityEvent 
| where ParentProcessName contains "powershell.exe" 


6. Onthe Create Custom Query page, you can define the Name, Description, Custom 
Query, Entity Mapping, and MITRE Tactics for your hunting query. 


NOTE AVOID REFERENCES TO TIME RANGES 


Unlike an analytics rule, hunting query logic should not include any reference to time 
ranges because this prevents Azure Sentinel from showing you the change in query 
results over time to create a baseline for monitoring. 


7. Click Create. 


8. You will be returned to the Hunting page, and if you search for your custom hunting 
query by name, it should now appear in your hunting Queries list, as shown in 
Figure 3-111. 
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© Refresh © Last 24 hours + NewQuery [> Run all quenes (Prenew) Columns 
Q 132/195 A1 = 0j Bo RO 
Active / total queries Result count / queries run Livestream Results My bookmarks 
Queries Livestream Bookmarks 
© = $ Q > kd @ on a iy = ©% A 
0 0 1 0 1 0 0 0 0 0 0 0 0 
PreAttack initial Ac Execution Persiste.. Privilege. Defense Credenti. Discovery Lateral.. Collection  Exfiltrati. Comma. impact 
| P powershell usd | Favorites : All Provider : AH Data sources : All Tactics : All Techniques : All 
4 Query ty Provider t4 Data Source Ty Results Ty Results delta (Pre... t4 Tactics 
C ® Powershell use Custom Queries SecurityEvent 0 0 (0%) Fi 


FIGURE 3-111 Searching for a custom hunting query 


Run hunting queries manually 


Hunting queries will almost always be run manually in Azure Sentinel, which we will explore in 


this topic: 
1. Navigate to the Azure portal by opening https://portal.azure.com. 
2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 
3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Hunting, which opens the Hunting page. 


Select the query that you want to run manually. The Hunting Query Preview pane 
appears, as shown in Figure 3-112. 


Q Least Common Parent And Child Process Pairs 


Microsoft @ 162 E securityevent 
9 Re 


ovider Data so 


res 


Description 

Looks across your environment for least common Parent/Child process 
combinations. 

will possibly find some malicious activity disguised as well known process names. 
By ZanCo 


ted time 


19 


Crea 


Query 


let Allowlist = dynamic ([{‘foo.exe’, “baz.exe’]}); 
let Sensitivity = 5; 
let StartDate = ago(7d); 
let Duration = 7d; 
SecurityEvent 
| where EventID «« 4688 and TimeGenerated > StartDate 
rt boisi a PO NOE SAE : z 3 


acties 


Execution The execution tactic represents techniques that result in 
execution of adversary-controlled cade on a local or 


remote system 


read more on attack. mitre.org C? 


FIGURE 3-112 The Hunting Query Preview pane 
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6. 


Click Run Query. The hunting query will be run, and the Results column will be popu- 
lated with the number of results that query has returned, as shown in Figure 3-113. 


Queries Livestream Bookmarks 
TEE oe ee 3s—s»—=—e— A 
0 0 1 0 0 o 0 o o 0 0 0 0 


Favorites : All Provider: All Oeste sources : All Tactics AN Techniques : All More (2 
Provider t4 Data Source ty Results ty Results delta (Pre. ty Tactics 
SecurityEvent 162 N/A $ Execution 


FIGURE 3-113 Checking the number of results a hunting query has returned 


To see the hunting query results in more detail, click View Results in the Hunting 
Query Preview pane, and you will be taken to the Log Analytics page to see the raw 
results of the query. 


To run multiple hunting queries at the same time, select the queries to be run on the 
Hunting page using the check boxes next to each query, as shown in Figure 3-114. 


CÒ refresh (© Last 24 hours v ++ NewQuery [> Run selected queries (Preview) == Columns 
Q 132/195 A1 = 0;3 HO RO 
Active / total queries Result count / queries run Livestream Results My bookmarks 


Queries Livestream Bookmarks 


© ea 4 D +? e = a: a Bai œ 6 

0 30 27 50 27 15 17 10 12 24 24 20 
PreAttack Initial Ac.. Execution Persiste.. Privilege. Defense.. Credenti.. Discovery Lateral.. Collection Exfiltrati.. Comma... 

| P Search queries Favorites : All Provider : All Data sources : All Tactics : All Techniques : 
[m) ‘s Query ty Provider t4 Data Source Ty Results Ty Results delta (Pre... Ty 
oO * = Changes made to AWS IAM policy Microsoft AWSCloudTrail 

A] A Consent to Application discovery Microsoft AuditLogs +1 © N/A © N/A © 

EJ * Rare Audit activity initiated by App Microsoft AuditLogs +1 © N/A © N/A © 


FIGURE 3-114 Selecting multiple hunting queries to be run 


Click Run Selected Queries. 


10. The selected queries will run, and the results will be displayed in the Results column in 
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the same way they are shown when you run a single query. 


Mitigate threats using Azure Sentinel 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Monitor hunting queries by using Livestream 


Livestream is a way of running hunting queries continuously—every 30 seconds—and it will 
let you know if there are any new results matching the query. This is a great way to monitor for 
any baseline changes in your environment that can be indicative of a security issue but without 


raising any unnecessary false-positive incidents. Livestreams can also be useful for testing 


new queries, and it is also possible to “promote” a Livestream query to an analytics rule or just 


straight into an investigation. 


Let's look at how to use a Livestream in Azure Sentinel: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 

2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 

3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 

4. Click Hunting, which opens the Hunting page. 

5. Click the Livestream tab, which opens the Livestream tab on the Hunting page, as 


shown in Figure 3-115. 


Refresh (©) Last 24 hours F New livestream O Guides & Feedback 


Q 132195 a1 = 0o Bo RO 


Active / total queries Result count / queries run Lovertream Rewslts My bookinarts 


Queries Livestream Bookmark: 


"I Azure Sentinel Livestream 


What is it? 


ostream is a user session-based, user interface d 
HUNTING QUERY usi 


vestream session using any 


These are the types of activities you can perform with Livestream 


Test newly created queries as they occur Get notifications of threat feed matches 
b n ny Comp at data ° 


FIGURE 3-115 The Livestream page 
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6. The Livestream tab is not prepopulated with queries, so if this is your first time using the 
feature, it will be empty. To add a Livestream query, click New Livestream. 


7. The Livestream page appears, as shown in Figure 3-116, using this the KOL: 


SecurityEvent 
| where EventID == 4625 


lome > Azure Sentinel 
Livestream 
[> Play Save d Create analytics rule Fa == Columns 
© Livestreaen session is paused, click ‘Play’ to start 
ame 
ailed login 
Query 
securityevent 
where EventID «= 4625 
View query results 
Account Accountexpires AccountName Accountlype Activity Allowe 
No results 


FIGURE 3-116 The Livestream page 


8. Give your Livestream a Name and enter the KOL for the Livestream in the Query 
field. Remember, as for other hunting queries, you should not specify time periods in 
Livestream query logic because this prevents Azure Sentinel from detecting changes 
over time. 


9. Click Save. 
10. Click Play to start the Livestream. 


TIP BE PATIENT! 


If you are expecting immediate results with your livestream query, be patient! It can take 
up to 30 seconds for the Livestream to start and for results to be visible. 
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11. The Livestream will start running. Any results from the query will be displayed below on 
the Livestream page, as shown in Figure 3-117. 


Livestream 


|| Pause Save È Create analytics rule FA == Columns 


© Livestream session is currently running. chek ‘Pause’ to stop 


Name 


| Failed logon 


Query 


SecurityEvent 
where EventID s» 4625 


View query results > 


Account 


Account&xpires AccountName Accountlype Activity Allowed Ton} 


5 - An account failed to | 


4625 - An account failed to | 


4625 - An account failed to | 


FIGURE 3-117 The Livestream page with query results 


12. The Livestream results will be refreshed every 30 seconds. 
13. 


You can pause the Livestream using the Pause button at the top of the Livestream page. 
14. 


Return to the Livestream tab on the Hunting page, as shown in Figure 3-118. 


©) Refresh © Last 24 hours v a 


Q 247/25 A4 = 0o 


Active / total queries 


100 R2 


Result count / queries run Livestream Results 


My bookmarks 


Queries Livestream Bookmarks 


Ð failed Status : AH 
Status Query Ty Running Since Ty Results Ty Last Result Ty Last Result Time Ty 
CY) Runni. Failed logon 05/23/21, 03:38 PM 100 100 


05/23/21, 03:41 PM 


FIGURE 3-118 The Livestream tab with saved Livestreams 


15. The saved Livestream is now visible on the tab, and you can also see whether the 
Livestream is currently running by looking at the Status column. 
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16. You can pause and play livestreams from this page using the Livestream preview pane 
on the right side of the page, as shown in Figure 3-119. 


Failed logon 


3:41:39 PM Q 100 SecurityEvent 
Last Hit Results Data Source 
Query 
SecurityEvent | 


[where EventID == 4625 


View query results > 


| Open livestream 


FIGURE 3-119 The Livestream preview pane with the Play button visible 


17. Click Pause or Play in this pane. (This button toggles between Play and Pause.) 


Track query results with bookmarks 


An SOC analyst might look through hundreds of thousands of logs during a shift, and the human 
brain can only process and remember a limited number of details. This is where bookmarks come 
in handy. They are a tool in Azure Sentinel that allows you to save specific records from a query 
result that an SOC analyst can revisit if they need to. Bookmarks can be attached to incidents to 
assist with investigation, and as with most things in Azure Sentinel, they also are stored in their 
own table—the HuntingBookmark table—and they can be searched through using KQL. 
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Let'slookathowto create a bookmark in Azure Sentinel: 


6. 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Hunting, which opens the Hunting page. 


Select a hunting query to run. The Hunting Query Preview pane appears on the right 
side of the screen, as shown in Figure 3-120. 


Q Admin Azure Activity 


Custom Queries Q55 iB AzureActivity 


Provider Results Data sources 


Description 
Looking for Admin activity in Azure Activity logs 


Created time 
5/24/2021 


Created by 


Query 


AzureActivity 
| where Category == "Administrative" 


View query results > 
Entities 


a [a] 


Account IP 


[We es 


FIGURE 3-120 The Hunting Query Preview pane in Azure Sentinel 


Click View Query Results or View Results. (Both take you to the Logs page.) 
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You will be taken to the Logs page, where you can view the results of the hunting query, 
as shown in Figure 3-121. The KQL of the query is as follows: 


AzureActivity 
| where Category == "Administrative" 
[oren | Time range : Last 24 hours & save ‘> Share +- New alert nse * bpon xP Pinto dashboard = = Format que 
1 Azuredctivity 
2 | where Category =- “Administrative” 
Results Chart migs i Display time (UTC + 120 e Group 
Completed, Showing results from the last 24 hours 
> 5/24/2021, 9:5$:48.322 AM Validate Deployment Microsoft. Resources/deplayments/validate/action informational Started 
> 3/2 5951307 AM Validate Deployment Resources/deployments/valida informational Succeeded 
> 5/24/2021. 9:55:55.651 AM Validate Deployment Microsoft. Resources/deployments/validate/actio informational Started 
> Validate Deployment Microsoft Resources/deployments/validate/action informational Succeeded 
> Create Deployment Resources/deployments/write informational Started 
> Create Deployment Resources/deployments/write jonal Accepted 
> Update Alert Rules Securityinsights/alertRules/write info ional Started 
> t 5601.716 AM Update Alert Rules Securityinsights/alertRules/write informational Started 
> t S:5601.716 AM Update Abert Rules urityinsights/abertRules/write onal Started 
4 Create Workspace erationalinsights/workspaces/write informational Started 
> Create or update workbook Micro ightssworkbooks/write informational Started 
> 5/24/2021, 9:5601,721 AM Update Alert Rules Securityinsights/alertRules/write informational Started 
————LLLL————— 


FIGURE 3-121 Viewing hunting query results on the Logs page 


Select the record you want to bookmark by selecting that record and clicking Add 
Bookmark. The Add Bookmark pane appears, as shown in Figure 3-122. 

You can enter details about the record you are saving as a bookmark, including the 
Name, Entity Mapping, Tags, and Notes to remind yourself or other SOC personnel 
what is important or noteworthy about this bookmark. When you've finished, 

click Create. 


NOTE BOOKMARKS IN INVESTIGATION GRAPH 


To view a bookmark in the investigation graph, you need to map at least one entity in 


the bookmark. 
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Add bookmark 


investigate results from a Log Analytics query. 
You can view and manage Hunting Bookmarks in Azure Sentinel - Hunting. Click 
here to learn more. 


A Hunting bookmarks enable Azure Sentinel users to save, tag, annotate, share and 


flookmark Name 


Query Information 
Time Frame 5/23/2021, 1:59:44 PM - 9/24/2021, 1:55:44 PM 


Account 


Caller 


Host 
Choose column 


ip 


CalleripAddress - 


URI 


Choose column 


Timestamp: 


TitmeGenerated - 2021-05-23721;55:51.307Z 


Tags 


4+ 


Notes 


FIGURE 3-122 The Add Bookmark pane 


10. To view your saved bookmarks, navigate to the Hunting page and click the Bookmarks 
tab, as shown in Figure 3-123. 


©) Refresh © Last 24 ours v ® Bookmark logs G , == Columns 


@ 135/198 A2 = 1; Bo R1 


Active / total queries Result count / queries run Livestream Results My bookmarks 


Queries Livestream Bookmarks 


P Search bookmarks Created By: All Updated By: All Tags : None 
oO Severity Ty Create Time 4 Name 14 Created By Ty incident name t4 Tags Ty 
O 05/24/21, 02003 PM Strange activity Sarah Young 


FIGURE 3-123 The Bookmarks tab 
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11. You can also view saved bookmarks by navigating to the Bookmark Logs page and 


searching the HuntingBookmark table, as shown in Figure 3-124. The query being run 
is as follows: 


HuntingBookmark 
| take 10 


HuntingBookmark 
| take 10 


Results 


Completed. Showing res 


Strange activity ("Objectid”: “e 


FIGURE 3-124 Searching saved bookmarks in the Hunt ingBookmark table 


Use hunting bookmarks for data investigations 


Bookmarking certain records can be useful in isolation, but to get the full value of the bookmarks 
feature in Azure Sentinel, you need to use them to assist in investigations. There are several ways 
that you can use bookmarks to enhance your threat hunting when using Azure Sentinel. 


Adding bookmarks to a new or existing incident 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
Click Hunting. The Hunting page appears. 
Click the Bookmarks tab, as shown previously in Figure 3-123. 


Select the bookmark and click Incident Actions, as shown in Figure 3-125. 


É Incident actions v 


Create new incident 


Add to existing incident 


FIGURE 3-125 The Incident Actions button 
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You can select either: 


m Create New Incident When this option is selected, the Promoting Bookmark 
To An Incident pane appears, as shown in Figure 3-126. From here, you can add a 


Description to the incident, select the Severity of the incident, add tags, and assign 


to an analyst. Once this information is added, clicking Create creates the incident. 


Name * 


Description 


Promoting bookmark to a inci... Xx 


Strange a 


Severity 


1 Medium 


Owner C 


P Search users 


Unassign Incident 


fo 
g 
Q Assign tome 


Sarah Y 


FIGURE 3-126 The Promoting Bookmark To An Incident pane 
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10. 


= Add To Existing Incident When this option is chosen, the Promoting Bookmark 
To An Existing Incident pane appears, as shown in Figure 3-127, where you can 
select the incident to which you want to attach the bookmark. Click Add when you 
are ready. 


Promoting bookmark to ane... x 
Please select the incident you want to add the bookmarks to 
ywner or product 
Severity : All Status : New, Active V More (2) 
Ty IncidentiID Ty Title Ty Alerts Produ 
20080 Vectra - Beacon pat... 5 Azan 
20046 TI map IP entity to... 22 AZI 
20019 Suspicious Remote ... 1 Mi 
19982 Impossible travel to... 2 Azi 
19973 Impossible travel to... 1 AZI 
20086 Suspicious administ... 1 Mi 
19970 Sign-in from an unf... 1 Azi 
19902 Impossible travel to... 1 AZI 
20085 Possible contact wit... 1 Azı 
| 20084 New lateral movme... 1 Mi 


FIGURE 3-127 The Promoting Bookmark To An Existing Incident pane 


To check an incident’s attached bookmarks, navigate to the Incidents page in 
Microsoft Sentinel. 


Select the incident you want to check bookmarks for and click View Full Details. 
The Incident Overview page appears. 


Click the Bookmarks tab, as shown in Figure 3-128, to check the bookmarks attached 
to the incident. 


Timeline (Preview) Alerts Bookmarks Entities (preview) Comments 


oO Create Time 4 Name Ty Created By Ty 


( 05/11/21, 02:28 PM SecurityEvent - 


FIGURE 3-128 Checking an incident's attached bookmarks 
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Exploring bookmarks in the investigation graph 


The investigation graph can be used to explore a bookmark and the entities contained within it. 


Navigate to the Azure portal by opening https://portal.azure.com. 


In the Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 


Sentinel Workspace page appears. 


Select the workspace you want to use. The Azure Sentinel | Overview page appears. 


Click Hunting, and the Hunting page appears. 


Click the Bookmarks tab, as shown in Figure 3-129. 


©) Refresh © Last 24 hours WP Bookmark Logs & 
Q 135/198 A2 = 1) 
Active / total queries Result count / queries run 
Queries Livestream Bookmarks 

earch bookmarks Created 8y : All 
C severity t4 Create Time 4 Name t4 
E 05/24/21, 02:03 PA Strange activity 


FIGURE 3-129 The Bookmarks tab 


Columns 


Livestream Results My bookmarks 
Updated By : All Tags : None 
Created By Ty incident name Ty Tags Ty 


Sarah Young 


Select the bookmark you want to explore and click Investigate in the Bookmark 
preview pane. The Investigation graph appears, as shown in Figure 3-130. 


Investigation 


ĝi Strange activity 
Incident 


I Medium 


New 


& Sarah Young 


(© 5/24/2021, 4:40:35 PM 


FIGURE 3-130 Investigating a bookmark 
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7. You can now use the investigation graph to explore the entities in the bookmark, 
just as you can use the investigation graph to explore an incident. If you need more 
information on how to use the investigation graph, refer to Skill 3-5, “Manage Azure 
Sentinel incidents.” 


Convert a hunting query to an analytics rule 


We've spoken earlier in this section about how hunting is a proactive activity in security opera- 
tions. But what if—during that proactive hunting activity—an SOC analyst finds an issue that 
needs to be escalated into an incident? This can be done quickly and easily on the Azure Senti- 
nel hunting page either through a Livestream or direct from a hunting query. 


Convert a Livestream to an analytics rule 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Hunting, and the Hunting page appears. 


5. Click the Livestream tab, and the Livestream tab on the Hunting page appears, as 
shown in Figure 3-131. 


KI Refresh © Last 24 hours v + Newlivestream © Guides & Feedback 
Q 135/198 72 = 0/0 EO R 1 
Active / total queries Result count / queries run Livestream Results My bookmarks 


Queries Livestream Bookmarks 


A Search queries Status : All 
Status Query Ty Running Since Ty Results Ty Last Result Ty 
C) Runni... Failed login 05/25/21. 03:21 PM 0 0 


FIGURE 3-131 The Livestream tab 


6. Select the Livestream you want to convert to an analytics rule. 
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Click Open Livestream at the bottom-right side of the page. The Livestream page 
appears, as shown in Figure 3-132. The KQL of this query is as follows: 


SecurityEvent 
| where EventID == 4625 


Home > Azure Sentinel 


Livestream 


[> Play Save d Create analytics rule Ba 


i 

2 

3 
3 


© Lvestreem session is paused, click Play’ to start 


Name 


Failed login 


Query 


Securityevent 
where EventID «= 4625 


View query results > 


Account Accountixpires AccountName Accountlype Activity Allowed 


No results 


FIGURE 3-132 The Livestream page 


Click Create Analytics Rule. The Analytics Rule Wizard appears, as shown in Figure 3-133. 


Analytics rule wizard - Create new rule 
General Set rule logic Incident view) Automated response Review and create 
Create an analytics rule that will run on your data to detect threats. 
Analytics rule details 
Name * 
Failed login 
Description 
Tactics 
0 selected MA 
Severity 
|| Medium {v 
Status 
GED vissvies 


FIGURE 3-133 The Analytics Rule Wizard 
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9. You can now fill in the details of the analytics rule as you would for any other rule that 
you would create in Azure Sentinel. 


NOTE TITLE AND QUERY LOGIC 


The Livestream title and query logic will be prepopulated in the wizard. 


Convert a hunting query to an analytics rule 
1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 
4. Click Hunting. The Hunting page appears. 
5. Select the hunting query you want to convert to an analytics rule. 


6. Click View Query Results or View Results (both do the same thing) in the Hunting 
Query Preview pane. You will be taken to the Logs page, as shown in Figure 3-134. 
The KQL of the query is as follows: 


AzureActivity 
" in wa" 
| where Category == "Administrative 
Time range: Custom B mev 2 r = ert rule — Expor n hb = Format que 
1 AzureActivity Create Azure Mo 
2 where Category «= “Administrative” 
eate 

Results Chart 0D Columns T) Display time (UTC+ 12:00 @_) Group columns 
Completed. Showing results from the custom time range 
> 5/24/2021, 4:40:29.780 PM Update incidents Microsoft Securityinsights/incidents/write informational Started 
> 5/24/2021. 4:40:32.756 PM Update Incidents Microsoft.Securityinsights/incidents/write Informational Succeeded 
> 5/24/2021, 4:40:33.150 PM Update Incident Relati... Microsoft.Securityinsights/incidents/relations... informational Started 
> 5/24/2021, 4:40-36.590 PM Update Incident Relati Microsoft Securityinsights/incidents/relations. Informational Succeeded 


FIGURE 3-134 The Logs page 


7. Click New Alert Rule > Create Azure Sentinel Alert. 
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8. The Analytics Rule Wizard appears, as shown in Figure 3-135. The KQL in the query is: 


AzureActivity 
| where Category == "Administrative" 


Analytics rule wizard - Create new rule 
General Setrulelogic Incident settings (Preview) Automated response Review and create 
Define the logic for your new analytics rule, 


Rule query 


Any time details set here will be within the scope defined below in the Query scheduling fields 


AzureActivity 
| where Category == “Administrative” 


View query results > 


Alert enrichment (Preview) 
v Entity mapping 
v Custom details 


w Alert details 


Query scheduling 


FIGURE 3-135 The Analytics Rule Wizard 


9. You can now fill in the details of the analytics rule as you would for any other rule that 
you would create in Azure Sentinel. 


NOTE HUNTING QUERY LOGIC 
The hunting query logic will be prepopulated in the wizard. 


Perform advanced hunting with notebooks 


The Jupyter Project is an open-source project that was developed to assist data science 
computing across many programming languages. A Jupyter notebook is an open-source web 
application that allows you to create and share documents that contain live code, equations, 
visualizations, and more. Because security operations can essentially be thought of as a 
security-focused data science—in other words, looking for patterns and anomalies in data— 
Jupyter notebooks are very well suited to assisting SOC analysts to interpret data. 


Skill 3-7: Hunt for threats using the Azure Sentinel portal 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


295 


In Azure Sentinel, Jupyter notebooks run on the Azure Notebooks platform, which is 
directly connected to the Azure Sentinel user interface. Notebooks allow an SOC analyst to 
conduct investigations and hunting using a huge collection of programming libraries for 
machine learning, visualization, and data analysis. Microsoft has developed a library called 
Kqlmagic that allows you to take queries from Azure Sentinel and run them inside of a 
notebook. As the library name suggests, queries are still run using the KQL language. 


As with the rest of Azure Sentinel, Microsoft have created notebook templates that can be 
used in production as they are, but they also give you some inspiration to make your own. Let's 
go through how to start using notebooks: 


1. Navigate to the Azure portal by opening https://portal.azure.com. 


2. Inthe Search bar, type Sentinel, and under Services, click Azure Sentinel. The Azure 
Sentinel Workspace page appears. 


3. Select the workspace you want to use. The Azure Sentinel | Overview page appears. 


4. Click Notebooks, and the Notebooks page appears, as shown in Figure 3-136. 


nel | Notebooks 


@ 21 


Notebook templates 


notebooks Templates 
Category : All 
Notebook name 7, Status Ty 


a A Getting Started Guide For Azure Sentinel ML Notebooks Last ve update: 04/27/2 


=| A Getting Started Guide For PowerShell AML Notebooks ast version update: 04/27/21, 12 


Configuring your Notebook Environment nt version update: 04/27/21 


Credential Scan on Azure Blob Storage Last version update: 04/27/21, 1200 PM 
Credential Scan on Azure Data Explorer ast ve date: 04/27/21, 1200 PM 
Credential Scan on Azure Log Analytics Last puate O4/27/2 


Entity Explorer - Account ast version update: 04/27/21, 12:00 PM 


Entity Explorer - Domain and URL ast version update: 04/27, 


FIGURE 3-136 The Notebooks page 
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5. Ifyou haven't created an Azure Machine Learning Workspace yet, you'll need to do this 
by clicking Create New AML Workspace. You will be taken to the Machine Learning 
page, as shown in Figure 3-137. 


Machine learning 


Create a machine learning workspace 
Basics Networking Advanced Tags Review + create 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Subscription ® © Contoso Security Operations v | 
Resource group 4 © Sentinel-RG v 
Create new 


Workspace details 


Specify the name and region for the workspace. 


Workspace name * © Sentinel-MI -Notebooks 

Region” © Southeast Asia v 

Storage account * @ (new) sentingliminote v 
Create new 

Key vault * © (new) sentinelminote {v 
Create new 

Application insights * © (new) sentineiminote: Vv 
Create mew 

Container registry * © sentinelcontainer vw 
Create new 


FIGURE 3-137 The Machine Learning page 


6. Complete the details of the deployment, which include Subscription, Resource Group, 
Workspace Name, Region, and so on. When you've finished, click Create. 


7. Return to the Notebooks page in Azure Sentinel, select the notebook that you want to 
launch, and select Save Notebook. 


Skill 3-7: Hunt for threats using the Azure Sentinel portal CHAPTER 3 
Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


297 


8. You will be asked which Azure Machine Learning (AML) workspace you want to save the 
notebook to, as shown in Figure 3-138. 


Save notebook to ... 


Select a name for your notebook * 


A Getting Started Guide For Azure 


@ Overwrite? 


Detault AML Workspace: 
IN Sentinel-ML 


=< 


FIGURE 3-138 Saving a notebook template to an AML workspace 


9. Click OK, and the notebook template will be saved to your AML workspace. 


10. After the notebook has been saved, the Launch Notebook button will appear on the 
notebook preview pane, as shown in Figure 3-139. 


@ =A Getting Started Guide For Azure Sentinel ML Not 


3 Microsoft © 1 month ago 
Created By Last Version Update 
Description 


This notebook guides you through the basic steps of using notebooks 
for security analysis. It covers all the basic steps you need to understand 
to start using the notebooks provided with Azure Sentinel. It also 
Provides references to further documentatian on the capahilities and 
features of notebooks. If this is your first-time running a notebook it is 
recommended that you run this notebook before running the others 
provided with Azure Sentinel, Note: This notebook will attempt to use 
Signini ogs data from your A7ure Sentinel workspace, however if they 
are not available it will use sample data. 


Utilized data types © 


“ip Signiniogs -- 


Ree he os emacs = 


Goreng Started with Azure Notebooks and Azure Sentinel 


Launch notebook 


FIGURE 3-139 Launch notebook button appears on the notebook preview pane after the 
notebook has been saved. 
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11. 


12. 


13. 


Click Launch Notebook. Your notebook will open in the AML interface, as shown in 
Figure 3-140. 


Ma Semis = » Hee agnos Weni. @Cempan_| Semmenieneboct - Runneg en OCES 


O haout emenune © Pe cempe re soe na aman hare STL 


E sygt 


-iuge 
“an 


A Getting Started Guide for Microsoft Sentinel notebooks with PowerShell 
Notebook Version 2 © 
Osta Sources Reguved 


D migros 
D A Gening Stanes Guise For 
Ba tea: © Log Anaa - Secuetytvent Optonat 
"paman Net Interaetove inetaliation is required! 


6 To une thas nenek. you më frst neeg to matah tet wanan 
Frenne fobs tre astucton the saen of ming me rage FoeeSnet moses 
Current Ubuntu version a 18.04 and NET SOC 548 ronsed Desai cos be found in Ma article -> Meneh Sentra! Notebooks + Pome 


D Geter meeengation = kani 


About this notebook 
Tra rotates tem you through the tasci needed te get rtated wes Powertnel notebooks mat wer aga Uraca Sarira sata ons aa 


Tha otebck misunet Phat you me ruming thei nar Anica Makane Leming nelateca eno! Seated na the Maoh Sarana UI aa ia noteecck naa net yah been eitad n oiner 
merana Creci tte of cur Bn eaten On CeMng a Mase Sentinel AML woreapece envionment 16 lam more 


For a nonaboci that provides more Jele gadane 1D the ROWDOCE emaranca IRA thw A Gem MR MA Nanabocan agranca mom the Mooon serana 
nemesesa ui Ths ABA Ma DIRA even DRONA COUSA IA Se pose Wintel MAN on ts ISA a SK Ot ne KA AAA OIS. 


For mere wêarmahen m to mty iuter tor seart, maoona meca A tet exelent waca a uprte toy Secre im 


FIGURE 3-140 A notebook opened in the AML interface 


If this is the first time you've used your AML interface, you'll also need to configure some 
compute to power your notebook before you can start running it. 


At the top-right of the screen, you will see a + sign that displays Create Azure ML 


compute instance when you hover your mouse over it. Click the + and you will be 
taken to the Create Compute Instance page shown in Figure 3-141. 


Create compute instance 


Select virtual machine 

Select the vertual machine site you would hike to use for your compute instance. Pease note that a compute instance Can not be shared It can only be used by a sage 
© Virtusi Machine msngned user, By default. it will be antgned to the crestor and you can change this 16 a different usar in the advanced settings secton 

Location 


Settings 


Virtual machine type 
® cu Oru 
Virtual machine size 


@ Select trom recommended options (C) Select trom all options 


Total available quota: 18 cores 


Name Category Worksoad types Available quota Cont 
xro seners purpose we = e e 


© Sudra nia General purpose Cisscat M model traning AROMI rura, pipeline runs 18 cores SAR 
4 coves MGE A B storage detai compute! 


Memory optimized mining on large datasets {> IGE) parse! rum steps batch 18 cores sasami 


FIGURE 3-141 Creating compute to run a notebook with 
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14. Select the VM you want to use for notebook compute, complete the Compute Name 
details, and click Create. 


15. You can now launch a compute instance to run your notebook by selecting the 
compute instance and clicking the Start Compute triangle-shaped button, as shown 
in Figure 3-142. 


@ compute: | STELIOS TISE 


lute. Recommended (Compute Instances) 


SentinelNotebook - Stopped 
2 Cores, 8 GB (RAM), 50 GB (Disk), $0.12/hr 


FIGURE 3-142 Choosing a compute instance to run a notebook with 


16. You can now work through the notebook and execute the code in each cell by clicking 
the Run Cell button, as shown in Figure 3-143. 


Enriching data 


Now that we Rave seen how to query for data, and do some basic manipulation we can look at enriching this data with additional data sources. 
some more details about an IP address we have in our dataset using the MSI iCpy |!Provider feature. 


Run cell 


b 1 From datetime isport datetime, timedelts 
2 # Check if we have logon data already and if not get some 
3 if not isinstance(logons df, pd.DataFrame) or logons dt.empty: 
# set our query end time as now 
5 end = datetime .now() 
6 # set our query start time as 1 hour ago 
7 start a end - timedelta(dayse1) 
8 # run query with specified start and end times 
9 logons_df = qry_prov.arure.list_all_signins_geo(startestart, endsend) 


10 
11 ® Create our TI provider 
12 ti = Thookyp() 


13 -# Get the first logon IP address from our dataset 
14 ip = logons_df.iloc[1]['IPAddress"] 

15 # Look up the IP in VirusTotel 

16 ti resp = ti.lookup_ioc(ip, providerss["VirusTote 


18 6 Format our results as è Dateframe 
19 ti_resp + ti.result_to_df(ti_resp) 
20 display(ti_resp) 


La 


FIGURE 3-143 Executing code in a notebook cell 
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Thought experiment 


In this thought experiment, demonstrate your skills and knowledge of the topics covered in this 
chapter. You can find answers to this thought experiment in the next section. 


Security operations at Contoso Ltd. 


You are the SOC manager for Contoso Ltd., a large global organization with offices and opera- 
tions in several jurisdictions. The organization runs a hybrid environment with both on-prem- 
ises and cloud IT infrastructure that needs to be monitored for any security breaches. Contoso 
Ltd. uses Azure Sentinel as its SIEM solution. 


As a part of your duties for Contoso Ltd., you run a large follow-the-sun SOC across several 
countries with hundreds of staff: Tier 1 analysts run the initial triage and basic incident resolu- 
tion; Tier 2 analysts handle incidents escalated to them from Tier 1; and Tier 3 analysts are the 
most experienced analysts who take on the most complex cases that Tiers 1 and 2 haven't been 
able to resolve. Sometimes, this involves the need for Tier 2 analysts to change the configura- 
tion of Azure Sentinel. 


Looking at your SOC metrics, you can see that both the mean time to triage and mean time 
to closure of the Contoso SOC is longer than you expected and that SOC analysts aren't able to 
respond and close incidents as fast as your upper-management expects them to. Upon speak- 
ing to the SOC analysts, they tell you that they don't get notified when a new incident is raised, 
and they have to manually check the incidents page to see if new incidents have occurred since 
they last checked. You want to configure more automation into your SOC processes to notify 
the SOC analysts when a new incident has been triggered. 


With this information in mind, answer the following questions: 


1. How can you ensure that Tier 1 and Tier 2 SOC analysts cannot change the data sources 
that are connected to Azure Sentinel and that only Tier 3 analysts have access to do this? 


2. How can you monitor the mean time to triage and mean time in Azure Sentinel? 


3. Howcan you ensure that an alert notification is sent to the SOC team when an incident 
is triggered? 


Thought experiment answers 


This section contains the solution to the thought experiment. Each answer explains why the 
answer choice is correct. 


1. You should assign the correct built-in Azure AD roles for Azure Sentinel. In this example, 
the Tier 1 and Tier 2 SOC analysts who do not need access to change Sentinel settings 
should be assigned the Azure Sentinel Responder role, where they can manage inci- 
dents and review data. Tier 3 analysts should be assigned the Azure Sentinel Contribu- 
tor role, which allows them to edit settings in Azure Sentinel. 
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2. 


Mean time to triage and mean time to closure are calculated in the Security Operations 
Efficiency workbook in Azure Sentinel. This workbook uses the data found in the 
SecurityIncidents table to make its calculations. 


You should configure a Playbook that sends an alert to the SOC team to inform them 
that a new incident has been raised in Azure Sentinel. This notification could be via email, 
Teams, and so on. Configure it so that it aligns with the team’s operational processes. 


Chapter Summary 


Azure Sentinel is both a SIEM and SOAR product. 


Azure Sentinel has out-of-the-box templates for almost every configurable part of 
the product. Make sure that you utilize these first before you create something new 
from scratch. 


Azure Sentinel can support a single workspace, multiple workspaces in one Azure 
tenancy, and multiple workspaces cross tenancy implementation models. 


Data sources are critical for a successful security operations procedure in an organiza- 
tion. Too much data is costly, but too little data can leave blind spots. 


Data sources have three main methods of ingestion in Azure Sentinel: built-in connec- 
tor, CEF/syslog collection, and custom connectors. 


Azure Sentinel can support both the ingestion and matching of TI for enrichment of 
incidents, hunting, and analytics rules. 


Analytics rules can be configured as a schedule queries or Microsoft security analytics rules. 
KQL is the query language used for all logic definitions in Azure Sentinel. 

Azure Logic Apps provides automation capabilities for Azure Sentinel. 

Automation has three main uses in Azure Sentinel: alerting, remediation, and enrichment. 
Workbooks are the method by which data can be visualized in Azure Sentinel. 


Hunting is the proactive side of threat hunting and can be performed with queries, with 
livestreams, or in notebooks. 
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Azure Defender alert rules Azure Sentinel. See also SOAR (security 


orchestration, automation, and response) 


setting up email notifications, 150-151 
suppression, 151-153 
validating alert configuration, 146-150 


Azure Defender for Azure Kubernetes (AKS), 
165-166 


Azure Defender for Servers 
Kubernetes, 165-166 
Linux, 165 
Windows, 164-165 
Azure Lighthouse, 187-188 
Azure Log Analytics, custom logs, 214-215 
Azure Logic Apps 
automation, 157-161 
connector list, 236 
custom log ingestion, 215-220 
security incident remediation, 242-243 
signing in to Azure Sentinel, 239 
template deployment, 248 
Azure Machine Learning (ML) workspace, 298-299 
Azure Monitor, 193, 215 
Azure Monitor HTTP Data Collector API, 215 
Azure portal 
Analytics page, 221 
Auto Provisioning settings, 134 
navigating to, 126 
Resource Groups page, 191 


Azure Resource Manager (ARM) templates, 
163-164, 171-172, 246 


Azure Security Center 
configuring automated response, 154-156 
Security recommendations, 130 


Azure Security Insights, 249 


Access Control (IAM) for resource group, 191 
advanced visualizations, 269-271 

alerting and remediation, 237 

Analytic Templates, 230 

analytics rules, 220-227, 231 

automation scenarios, 236-237 

and Azure Lighthouse, 187-188 

CEF and Syslog event collections, 202-205 
charts, 270 

commitment tiers, 189 


connector-provided scheduled queries, 
229-230 


Contributor rule, 190 

custom scheduled queries, 230-231 
data analysis, 272-274 

data connectors, 199-202 
Data Connectors gallery, 197 
data retention, 193 

Data Retention settings, 194 
data sources, 195-199 

data storage, 193-195 

design considerations, 188-189 
email connectors, 240 

Entity Behavior page, 259-260 
EPS (events per second), 205 
Event IDS, 211 

free data sources, 199 

GitHub repository, 243, 245 
graphs, 271 

grids, 271 


guest users assigning incidents, 195 
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Azure Sentinel (continued) 
incident creation logic, 231 
incidents, 249-257 
investigating incidents, 249-254 


tiles, 271 

tracking incident metrics, 274-276 

triage incidents, 254-255 

UEBA (user and entity behavior analytics), 


257-261 
IN USE analytic rules, 230 


investigation graphs, 251-253 
KQL (Kusto Query Language), 232-235 


Livestream, 281-284 viewing and analyzing data, 272-274 
and Log Analytics, 186 visualizations, 269-271 

Windows Events collections, 205-211 
workbooks, 195, 262-269, 272-274 
workspace, 186-190, 196 


Azure Sentinel portal. See also threats 


Log Analytics workspace, 189, 194 
lookback windows, 226 

Microsoft Graph Security API, 198 
multi-workspace incidents, 256-257 


Outlook account, 240 custom hunting queries, 277-279 


hunting bookmarks for data investigations, 
288-292 


Overview page, 197 


permissions, 190-192 
hunting queries and analytics rules, 292-295 


hunting with notebooks, 295-300 


permissions and built-in roles, 196 
Playbooks, 195, 236-249 


pricing calculaten 193 Livestream for hunting queries, 281-284 


query results and bookmarks, 284-288 monitoring- hunting queries; 281-284 


Reader rule, 190 running hunting queries, 279-280 


tracking queries with bookmarks, 284-288 
Azure WAF (Web Application Firewall), 133 
Azure Web Application Firewall (WAF), 133 


Responder rule, 190 

responding to incidents, 255-256 
roles, 190-192 

rules and data sources, 223 
scheduled queries, 230-231 


Security Events connector, 205 


Azure Windows Virtual Machines, Windows 
security event collection, 206-207 


security operations efficiency workbooks, B 
274-276 


bookmarks. See also hunting bookmarks 
service security, 195-196 


adding to incidents, 288-290 


signing in from Logic App designer, 239 
a ae ne 3 exploring in investigation graph, 291-292 


Syslog and CEF event collections, 202-205 


promoting, 289-290 
threat detection, 224-227 


, h tracking query results, 284-288 
threat intelligence connectors, 211-214 
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EPS (events per second), Azure Sentinel 


C CSPM (Cloud Security Posture Management), 128 
custom logs, 214-220. See also Log Analytics 


CASB (Cloud App Security Broker), 99 : 
CWPP (Cloud Workload Protection Platform), 129 


CEF and Syslog event collections, 202-205 ; 
cybersecurity awareness program, 24 

charts, Azure Sentinel workbook, 270 

Cloud App Security Broker (CASB), 99 

cloud applications, 104 D 

Cloud Connector, configuring, 140-143 


Cloud Security Posture Management (CSPM), 128 


data connector vs. Logic App connector, 218 


data investigations, hunting bookmarks, 288-292. 


Cloud Workload Protection Platform (CWPP), 129 See also investigation graphs 

“collection is not detection," 198 data loss prevention (DLP) alerts, 32-34 

cost savings, looking for, 128 data protection, 30-35 

Count operator, KQL, 233 Detection Rule wizard, creating, 74 

credential harvesting website, 3 detections, customizing, 70-81 

cross-domain incidents devices, Microsoft products for, 104 
Add file has indicator, 116 DLP (data loss prevention) alerts, 32-34 


Add URL/Domain Indicator, 115 
Alerts view, 109 


Devices tab, 108 E 

Email Actions, 113 EDR (Endpoint Detection and Response), 53 
email and collaboration explorer query tool, 113 email. See also spear fishing email 

examining, 214-214 and Office documents, 104 

File page, 116 protecting, 3 

hunting query editor, 112 email alert Playbook, 237-241 

Impossible Travel Activity alert, 110 email connectors, Azure Sentinel, 240 

Inbox mail forwarding rule, 110 email notifications, Azure Defender alert rules, 
Incident page, 108 150-151 

Manage Incident, 117 Endpoint Detection and Response (EDR), 53. 


managing, 106-118 See also Microsoft Defender for Endpoint 


Suspend User, 108 enrichment 


Suspicious PowerShell Command Line alert, 111 automation in Azure Sentinel, 237 


Threat analytics, 106-107 
URL page, 114 


triage incidents, 255 
EOP (Exchange Online Protection), 14 


cross-workspace analytics rules, 257 EPS (events per second), Azure Sentinel, 205 
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event ID, collection for Windows 


event ID, collection for Windows, 135 
Event IDS, Azure Sentinel, 211 
Exam Tips 
Azure Sentinel, 256 
cost savings on data, 128 
custom workbooks, 266 
data connectors for Azure Sentinel, 198 
file activity store in cloud apps, 103 
KQL queries, 232 
metrics for SOC managers and KPIs, 276 
remediation activities and exceptions, 83 
remediation ideas, 243 


rights to endpoint data, 47 


Security Operations Efficiency workbook, 275 


UEBA (user and entity behavior analytics), 261 
Visualizations Demo workbook, 270 
workbooks and KQL queries, 268 

exceptions, creating and viewing, 88-89 

Exchange Online Protection (EOP), 14 

Extend operator, KQL, 233 


F 


Fusion rules, Azure Sentinel, 221 


G 


GCP (Google Cloud Platform), 132, 143-145 
GDPR (General Data Protection Regulation), 181 
General Data Protection Regulation (GDPR), 181 
GitHub repository, 71 

Google Cloud Platform (GCP), 132, 143-145 
graphs, Azure Sentinel workbook, 271 

grids, Azure Sentinel workbook, 271 
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H 


HTTP Data Collector API, 214-215 
hunting bookmarks, 288-292. See also bookmarks 
hunting queries. See also notebooks; queries 
converting to analytics rules, 292-295 
customizing, 277-279 
monitoring using Livestream, 281-284 
results on Logs page, 286 
running manually, 279-280 


identity threats, identifying and responding to, 
89-95. See also Microsoft Defender for Identity 


impersonation protection, anti-phishing 
policies, 14 


incident tab, posting comments on, 256 
incidents 
adding bookmarks, 288-290 
Azure Sentinel, 249-257 
investigating and remediating, 35-37, 40 
managing with Playbooks, 243-244 
multi-workspace, 256-257 
remediating, 161-163 
responding to, 55-70 
tracking metrics, 274-276 
indicators, creating, 81 
Indicators of compromise (IOCs), 78-79 
insider risk, 34-35. See also risk management 


investigation graphs, 251-253, 291-292. See also 
data investigations 


IOCs (Indicators of compromise), 78-79, 
211-212, 214 
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Microsoft 365 Defender Security portal 


J gueries, 71 


f ts workspace, 189, 194 
JIT (just-in-time) access feature, Azure 


Defender, 181 Logic Apps 


JSON Request Body format, Playbooks, 219 automation 157-161 
connector list, 236 


custom log ingestion, 215-220 


K security incident remediation, 242-243 
Key Vault, Azure Defender for, 170-171, 179-180 signing in to Azure Sentinel, 239 
KQL (Kusto Query Language) template deployment, 248 

Advanced Hunting, 71 Logs page, 294 


analytics rule, 226 
overview, 232-235 M 


query time parsing, 203 


workbook templates, 268 Machine learning (ML) behavioral analytics, 221 


Kubernetes, Azure Defender for Servers, 165-166 Machine Learning page, 237 


Kusto Query Language (KOL) malicious attachments, 9-14 


malicious spear phishing email, 2-3 
MCAS (Microsoft Cloud App Security) 


Advanced Hunting, 71 
analytics rule, 226 


overview, 232-235 admin access, 99 


alerts, 102-104 
Impossible Travel Policy, 101-102 
risk domain, 104 


query time parsing, 203 
workbook templates, 268 
L 
labeling, 30-35 
Let operator, KQL, 233 


threat detection policies, 99-102 
Microsoft, threat protection products, 104 


Linux, Azure Defender for Servers, 165 Metasan Sa, ante ping palen 
Microsoft 365 Defender, cross-domain incidents, 


106-118 


Livestream 


converting to analytics rule, 292-294 i : 
Microsoft 365 Defender Security portal 
monitoring hunting queries, 281-284 ee 
cross-domain incidents, 105-106 
Log Analytics. See also custom logs 


agent, 203-204, 207-208 
and Azure Sentinel, 186 


cross-domain investigations, 104-118 
Incidents view, 56 
products, 104-105 

Azure Sentinel, 193 


adk resource, 118 
gateway, 
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Microsoft Defender 
Playbooks, 244-249 
triggers and actions, 245 
Microsoft Defender Credential Guard, 87-88 


Microsoft Defender for Endpoint. See also 
Endpoint Detection and Response (EDR) 


advanced settings, 53 

alert notifications, 51-53 
Alert page, 60-61 

Breach insights icon, 84 
Classification and Status, 59 
configuring, 41 

custom detections, 70-78 
custom indicators, 78-81 
data storage and privacy, 42 
Demote Rank button, 51 
Determination setting, 70 
device groups, 43, 47-50 
Device action menu, 63 
Devices tab, 68 

enabling roles, 44-45 

file hash indicator, 79-81 
File menu, 66 

incidents and alerts, 55-70 
investigation graph, 65 
Investigation Summary, 68 
IOCs (Indicators of compromise), 78-79 
Manage incident, 69 
permissions, 47 

Promote Rank button, 51 
Remediation Request wizard, 85 
risk domain, 104 


role-based access control, 43-51 


roles, 43 

security tasks, 86 

setting up for deployment, 42 
setting up for subscription, 41-43 
Simulations & Tutorials, 55 
Suppression Rule for alert, 62 
User Access tab, 49 

user groups, 46 


Microsoft Defender for Identity. See also identity 
threats 


Honeytoken configuration, 98 

investigating alerts, 96-98 

portal, 99 

quick start guide, 95 

risk domain, 104 

Timelines, 96-97 

User Directory Data, 98 
Microsoft Defender for Office 365 

alerts, 35-40 

remediation actions, 39 

risk domain, 104 

roles, 4 

Safe Attachments policies, 13 
Microsoft Graph Security API, Azure Sentinel, 198 
Microsoft Intune Connection, 85 
Microsoft security rules, Azure Sentinel, 221 
Microsoft security service 

alert connector, 228 

analytics rules, 227-229 

Include/Exclude Specific Alerts, 229 
Microsoft Threat Experts (MTE) service, 64 
MITRE ATT&CK, 2, 57-58, 95, 148 
ML (Machine learning) behavioral analytics, 221 
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Monitoring Agent Setup Wizard, 209 
MTE (Microsoft Threat Experts) service, 64 


N 


notebooks, advanced hunting, 295-300. See also 
hunting queries 


O 


Office 365 roles, 4 
OfficeActivity table, 233 
OMS agent, installing, 203-204 


Outlook account, signing into, 240 


P 


PaaS-related resources, Azure, 133 
phishing thresholds, 15 
Playbooks 
across Microsoft Defender solutions, 244-249 
attaching to analytics rules, 242 
Azure Defender, 156-161 
Azure Sentinel, 195 
email alert, 237-241 
GitHub repository, 243 
JSON Request Body format, 219 
managing incidents, 243-244 
remediating threats, 242-243 
running against alerts, 256 
running in Logic App Designer, 218 
templates, 245-248 
testing, 219, 241 
Project operator, KQL, 233 


security information and event management (SIEM) 


Q 


queries, best practice, 73. See also hunting queries 
query results, tracking with bookmarks, 284-288 


query time parsing, KQL (Kusto Query 
Language), 203 


R 


RBAC (Role—Based Access Control), 124 
remediating 

incidents, 161-163 

threats, 242-243 
remediation, activities, and exceptions, 83-89, 237 
risk domains, 104 


risk management, 34-35, 81-89. See also insider 
risk; security recommendations; vulnerability 
management 


role groups, 24 

Role—Based Access Control (RBAC), 124 
Microsoft Defender for Endpoint, 43-51 

roles, Office 365, 4 


S 


Saas (Software as a Service), 99-104 

Safe Attachments policy, 9-14 

Safe Links policy, configuring, 3-9 

Scheduled queries, Azure Sentinel, 221 

Secure Hash Algorithm 1 (SHA1), 63 

Security Events connector, Azure Sentinel, 205 
security incident flow diagram, 105 


security information and event management 
(SIEM), 185, 235 
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security operations center (SOC) 


security operations center (SOC), 145, 224 T 


Security Operations Efficiency workbook, 274-276 
Take operator, KQL, 233 


TAXII (Trusted Automated eXchange of Indicator 
Information), 212-213 


Threat & Vulnerability Dashboard, 82 


security orchestration, automation, and response 
(SOAR), 236-248 


security recommendations, 81-89, 130. See also 


risk management 


Securitylncidents table, 250 Threat analytics, 118 


sensitivity labels, 30-32 threat intelligence, Azure Defender, 178-179 
SHA1 (Secure Hash Algorithm 1), 63 


SHA256 hash, IOCs (Indicators of compromise), 


threat protection products, 104 


threats. See also Azure Sentinel portal 


78-79 detecting, 224-227 
SIEM (security information and event identifying with UEBA, 257-261 
management) remediating, 242-243 
solutions, 198 TI (threat intelligence), custom connectors, 211-214 
translating rules to KQL, 185, 235 TI matching, triage incidents, 254 
simulations. See attack simulation training tiles, Azure Sentinel workbook, 271 
SOAR (security orchestration, automation, and Timeline tab, viewing alerts on, 255 
response), 236-248. See also Azure Sentinel Top operator, KQL, 233 


SOC (security operations center), 145, 224, 249 Trusted Automated eXchange of Indicator 


Sort operator, KQL, 233 Information (TAXII), 212-213 
spear fishing email, 2-3. See also email 


SQL, Azure Defender for, 169-170 


STIX (Structured Threat Information U 

eXpression), 212 UEBA (user and entity behavior analytics), 104 
Storage, Azure Defender for, 167-168 uncoder.io tool, using with SIEMs, 235 
Structured Threat Information eXpression user activity, detecting, 104 

(STIX), 212 


user and entity behavior analytics (UEBA), 257-261 


summarize operator KOL 233 user data, discovery during investigation, 181 
suspicious user activity, detecting, 104 


Syslog and CEF event collections, 202-205 
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V 


Visualizations Demo workbook, 270 
VMSS (VM Scale Set), 135 


vulnerability management, 81-89. See also risk 
management 


W 


WAF (Web Application Firewall), 133 
watchlists, triage incidents, 254 
Web Application Firewall (WAF), 133 


Workbooks gallery 


Where operator, KQL, 233 
Windows, Azure Defender for Servers, 164-165 
Windows Events collections, 205-211 
Workbook template summary, 264 
workbooks 

customizing, 266-269 

data analysis, 272-274 

parameters, 274 
Workbooks gallery 

Azure Sentinel, 263 


saving workbooks in, 265 
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